[strongSwan] Max OSX client
claude.tompers at restena.lu
Fri Mar 27 07:38:49 CET 2020
Thanks a lot for you remarks. I will review the config.
On 26/03/2020 17:11, Tobias Brunner wrote:
> Hi Claude,
>> Before diving deeper into logs etc. Do these connection settings look
>> good to you ? Thinking of all sorts of timers.
> There is lots of questionable stuff in that config.
> That's quite low, in particular since you didn't change margintime and
> rekeyfuzz (see  for what that means exactly).
> That doesn't make much sense on a responder as it's unlikely it can
> reach the client to reestablish the connection if it failed to
> retransmit a message several times.
> That's relatively low for mobile clients that might not be reachable for
> a while. If you do that, consider changing the retransmission settings
> so clients can be offline for a while .
> Has no effect on IKEv2 SAs.
> Same as dpdaction, makes not much sense on a responder for mobile clients.
> This only makes sense if trap policies are used, otherwise no CHILD_SA
> will exist after that (unless the client will reestablish the complete
> connection immediately if the server terminates the CHILD_SA
> unexpectedly, but what would the benefit be of that?).
> Why did you set that longer than the IKE_SA lifetime? Also, refer to
>  for details.
> Consider reading up on reauthentication (especially in regards to IKEv2
> responders) on .
> Why would you disable MOBIKE on a connection for mobile roadwarriors?
> It's exactly the use case this extension was designed for.
>  https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey
>  https://wiki.strongswan.org/projects/strongswan/wiki/Retransmission
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 236 bytes
Desc: OpenPGP digital signature
More information about the Users