[strongSwan] Transport mode - specific ports only

Felipe Arturo Polanco felipeapolanco at gmail.com
Wed Mar 6 16:03:58 CET 2019


Hi,

Check your DPD settings, I have seen that incorrect setting on this cause
multiple SAs to be created.

Thanks,

On Wed, Mar 6, 2019 at 5:57 AM James Masson <james.masson at jmips.co.uk>
wrote:

> Hi list,
>
> I've got a working configuration for a collection of servers using
> transport mode to encrypt only a subset of ports, using strongswan 5.7.2-1 .
>
> However, it seems suboptimal, because the servers are generating and
> deleting new SAs every few seconds - I presume for every client port <>
> server port pair ? The traffic on these ports is UDP, so there would be
> massive overhead in doing this.
>
> Logs/config/SAs -
> https://gist.github.com/james-masson/347bcdab80c93c83dfc68f111a5cb472
>
> Can anybody point out a flaw in or improvements to my config?
>
> To be clear, I'm after a config that does crypto negotiation once per IP
> pair, but only encrypts traffic to/from a particular set of ports.
>
> thanks
>
> James M
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190306/a6996779/attachment.html>


More information about the Users mailing list