[strongSwan] had to manually up a connection

Felipe Polanco felipeapolanco at gmail.com
Tue Mar 10 15:34:01 CET 2020


I can't remember what was the option but I know I used it to avoid multiple
updown running in parallel for the same peer.

Try changing make_before_break to avoid overlapping child_sa, or adjust the
time of idle child_sa to expire faster.

On Mon, Mar 9, 2020 at 11:43 PM Victor Sudakov <vas at sibptus.ru> wrote:

> Victor Sudakov wrote:
> > Felipe Polanco wrote:
> > > > Does this not cause excessive SAs piling up? I've seen a similar
> > > > problem with Strongswan on my side and a MikroTik on the remote side:
> > > > too many excessive SAs in "ipsec status" output and in MikroTik's
> > > > management console.
> > > >
> > > > My theory was that each trapped packet causes a new SA to be
> > > > attempted/generated until some limit is hit or some resource is
> > > > exhausted.
> > > Haven't seen that issue.
> > >
> > > But you should use reuse_ike SA and reuse_child SA, that avoids
> duplicates
> > > SA for phase one and phase two.
> > >
> >
> > What's their equivalent in the old (ipsec.conf) syntax? I could not find
> > them in ipsec.conf(5)
>
> There is charon.reuse_ikesa (default already "yes") in
> strongswan.conf(5) but no "reuse_child" even there.
>
> --
> Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
> 2:5005/49 at fidonet http://vas.tomsk.ru/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200310/71cac262/attachment.html>


More information about the Users mailing list