[strongSwan] Max OSX client

Tobias Brunner tobias at strongswan.org
Thu Mar 26 17:11:04 CET 2020

Hi Claude,

> Before diving deeper into logs etc. Do these connection settings look
> good to you ? Thinking of all sorts of timers.

There is lots of questionable stuff in that config.

>>>         ikelifetime=60m

That's quite low, in particular since you didn't change margintime and
rekeyfuzz (see [1] for what that means exactly).

>>>         dpdaction=restart

That doesn't make much sense on a responder as it's unlikely it can
reach the client to reestablish the connection if it failed to
retransmit a message several times.

>>>         dpddelay=60s

That's relatively low for mobile clients that might not be reachable for
a while.  If you do that, consider changing the retransmission settings
so clients can be offline for a while [2].

>>>         dpdtimeout=300s

Has no effect on IKEv2 SAs.

>>>         keyingtries=5

Same as dpdaction, makes not much sense on a responder for mobile clients.

>>>         inactivity=4h

This only makes sense if trap policies are used, otherwise no CHILD_SA
will exist after that (unless the client will reestablish the complete
connection immediately if the server terminates the CHILD_SA
unexpectedly, but what would the benefit be of that?).

>>>         lifetime=4h

Why did you set that longer than the IKE_SA lifetime?  Also, refer to
[1] for details.

>>>         reauth=yes

Consider reading up on reauthentication (especially in regards to IKEv2
responders) on [1].

>>>         mobike=no

Why would you disable MOBIKE on a connection for mobile roadwarriors?
It's exactly the use case this extension was designed for.


[1] https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey
[2] https://wiki.strongswan.org/projects/strongswan/wiki/Retransmission

More information about the Users mailing list