[strongSwan] Transport mode - specific ports only

James Masson james.masson at jmips.co.uk
Wed Mar 6 16:53:23 CET 2019


Hi,

I don't have any DPD params set, as the example trap-any doesn't have them
either.

I see a new IKE_SA initiation every 5 seconds!

Thanks

James M

On Wed, 6 Mar 2019, 3:04 pm Felipe Arturo Polanco, <felipeapolanco at gmail.com>
wrote:

> Hi,
>
> Check your DPD settings, I have seen that incorrect setting on this cause
> multiple SAs to be created.
>
> Thanks,
>
> On Wed, Mar 6, 2019 at 5:57 AM James Masson <james.masson at jmips.co.uk>
> wrote:
>
>> Hi list,
>>
>> I've got a working configuration for a collection of servers using
>> transport mode to encrypt only a subset of ports, using strongswan 5.7.2-1 .
>>
>> However, it seems suboptimal, because the servers are generating and
>> deleting new SAs every few seconds - I presume for every client port <>
>> server port pair ? The traffic on these ports is UDP, so there would be
>> massive overhead in doing this.
>>
>> Logs/config/SAs -
>> https://gist.github.com/james-masson/347bcdab80c93c83dfc68f111a5cb472
>>
>> Can anybody point out a flaw in or improvements to my config?
>>
>> To be clear, I'm after a config that does crypto negotiation once per IP
>> pair, but only encrypts traffic to/from a particular set of ports.
>>
>> thanks
>>
>> James M
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190306/c1fccb68/attachment.html>


More information about the Users mailing list