[strongSwan] had to manually up a connection
Felipe Polanco
felipeapolanco at gmail.com
Fri Mar 6 15:25:20 CET 2020
Hi,
I have a related question with that.
with auto=route and action=trap I see that the first packet in matching
traffic is always lost: in a ping session, packet with seq=1 never makes it
to the other side, only from seq=2 onwards.
Why does this happen? and is there a way to avoid it? I'm thinking about
SNMP traps over IPSec that are not retransmitted since they use UDP.
Thanks,
On Fri, Mar 6, 2020 at 6:47 AM Tobias Brunner <tobias at strongswan.org> wrote:
> Hi Victor,
>
> > That could be the case, thanks for the hint. Strongswan could have made 3
> > attempts after detecing a dead peer and given up, is that what you
> > imply?
>
> Yes.
>
> > What's the timeout between keyingtries?
>
> No timeout between them, regular retransmission timeouts apply for each
> attempt.
>
> > And why is
> > `keyingtries=%forever` not the default?
>
> Who knows, legacy reasons maybe (on the other hand, the default is 1 now
> with swanctl.conf).
>
> > Is there no need for `keyingtries=%forever` in the `auto=route` mode?
>
> Further traffic will trigger another acquire (it might even cause
> duplicate SAs if a retry occurs while traffic triggers another acquire
> from the kernel).
>
> Regards,
> Tobias
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200306/fba364b6/attachment.html>
More information about the Users
mailing list