[strongSwan] had to manually up a connection

Felipe Polanco felipeapolanco at gmail.com
Tue Mar 10 03:52:12 CET 2020


Haven't seen that issue.

But you should use reuse_ike SA and reuse_child SA, that avoids duplicates
SA for phase one and phase two.

On Mon, Mar 9, 2020, 10:49 PM Victor Sudakov <vas at sibptus.ru> wrote:

> Felipe Polanco wrote:
> > I always use auto=route or start_action=trap and just keep a ping
> > running in the background for critical UDP traffic.
> >
> > I know it's a poor's man solution but guarantees the connection is always
> > up.
>
> Does this not cause excessive SAs piling up? I've seen a similar
> problem with Strongswan on my side and a MikroTik on the remote side:
> too many excessive SAs in "ipsec status" output and in MikroTik's
> management console.
>
> My theory was that each trapped packet causes a new SA to be
> attempted/generated until some limit is hit or some resource is
> exhausted.
>
>
> --
> Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
> 2:5005/49 at fidonet http://vas.tomsk.ru/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200309/34bb7e28/attachment.html>


More information about the Users mailing list