[strongSwan] had to manually up a connection
Victor Sudakov
vas at sibptus.ru
Tue Mar 10 04:43:47 CET 2020
Victor Sudakov wrote:
> Felipe Polanco wrote:
> > > Does this not cause excessive SAs piling up? I've seen a similar
> > > problem with Strongswan on my side and a MikroTik on the remote side:
> > > too many excessive SAs in "ipsec status" output and in MikroTik's
> > > management console.
> > >
> > > My theory was that each trapped packet causes a new SA to be
> > > attempted/generated until some limit is hit or some resource is
> > > exhausted.
> > Haven't seen that issue.
> >
> > But you should use reuse_ike SA and reuse_child SA, that avoids duplicates
> > SA for phase one and phase two.
> >
>
> What's their equivalent in the old (ipsec.conf) syntax? I could not find
> them in ipsec.conf(5)
There is charon.reuse_ikesa (default already "yes") in
strongswan.conf(5) but no "reuse_child" even there.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200310/6389c1f5/attachment.sig>
More information about the Users
mailing list