[strongSwan] Max OSX client

Claude Tompers claude.tompers at restena.lu
Fri Mar 27 07:38:49 CET 2020 

Hello Tobias,

Thanks a lot for you remarks. I will review the config.

kind regards,
Claude


On 26/03/2020 17:11, Tobias Brunner wrote:
> Hi Claude,
>
>> Before diving deeper into logs etc. Do these connection settings look
>> good to you ? Thinking of all sorts of timers.
> There is lots of questionable stuff in that config.
>
>>>>         ikelifetime=60m
> That's quite low, in particular since you didn't change margintime and
> rekeyfuzz (see [1] for what that means exactly).
>
>>>>         dpdaction=restart
> That doesn't make much sense on a responder as it's unlikely it can
> reach the client to reestablish the connection if it failed to
> retransmit a message several times.
>
>>>>         dpddelay=60s
> That's relatively low for mobile clients that might not be reachable for
> a while.  If you do that, consider changing the retransmission settings
> so clients can be offline for a while [2].
>
>>>>         dpdtimeout=300s
> Has no effect on IKEv2 SAs.
>
>>>>         keyingtries=5
> Same as dpdaction, makes not much sense on a responder for mobile clients.
>
>>>>         inactivity=4h
> This only makes sense if trap policies are used, otherwise no CHILD_SA
> will exist after that (unless the client will reestablish the complete
> connection immediately if the server terminates the CHILD_SA
> unexpectedly, but what would the benefit be of that?).
>
>>>>         lifetime=4h
> Why did you set that longer than the IKE_SA lifetime?  Also, refer to
> [1] for details.
>
>>>>         reauth=yes
> Consider reading up on reauthentication (especially in regards to IKEv2
> responders) on [1].
>
>>>>         mobike=no
> Why would you disable MOBIKE on a connection for mobile roadwarriors?
> It's exactly the use case this extension was designed for.
>
> Regards,
> Tobias
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey
> [2] https://wiki.strongswan.org/projects/strongswan/wiki/Retransmission


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200327/af798d5a/attachment.sig>

More information about the Users mailing list