[strongSwan] Max OSX client
tobias at strongswan.org
Thu Mar 26 17:11:04 CET 2020
> Before diving deeper into logs etc. Do these connection settings look
> good to you ? Thinking of all sorts of timers.
There is lots of questionable stuff in that config.
That's quite low, in particular since you didn't change margintime and
rekeyfuzz (see  for what that means exactly).
That doesn't make much sense on a responder as it's unlikely it can
reach the client to reestablish the connection if it failed to
retransmit a message several times.
That's relatively low for mobile clients that might not be reachable for
a while. If you do that, consider changing the retransmission settings
so clients can be offline for a while .
Has no effect on IKEv2 SAs.
Same as dpdaction, makes not much sense on a responder for mobile clients.
This only makes sense if trap policies are used, otherwise no CHILD_SA
will exist after that (unless the client will reestablish the complete
connection immediately if the server terminates the CHILD_SA
unexpectedly, but what would the benefit be of that?).
Why did you set that longer than the IKE_SA lifetime? Also, refer to
 for details.
Consider reading up on reauthentication (especially in regards to IKEv2
responders) on .
Why would you disable MOBIKE on a connection for mobile roadwarriors?
It's exactly the use case this extension was designed for.
More information about the Users