[strongSwan] Caller session management: retry forever

Volodymyr Litovka doka at funlab.cc
Thu Apr 15 20:57:36 CEST 2021 

Hi colleagues,

is there a way to retry connect on receiving NO_PROPOSAL_CHOSEN from the 
peer? At the moment, I have the following configuration on the calling 
side -

conn-defaults {
         version = 2
         proposals = aes256gcm16-prfsha384-ecp384
         local_addrs = 10.1.3.14
         encap = yes
         fragmentation = yes
         mobike = no
         send_certreq = yes
         send_cert = always
         dpd_delay = 15s
         rekey_time = 3h
         unique = keep
         keyingtries = 0
         local {
                 auth = pubkey
                 id = fqdn:s4.v.zt
         }
}

child-defaults {
         ah_proposals =
         esp_proposals = aes192gcm16-aes256gcm16-ecp256
         local_ts = 0.0.0.0/0
         remote_ts = 0.0.0.0/0
         rekey_time = 1h
         mode = tunnel
         ipcomp = no
         tfc_padding = 256
         if_id_in = %unique
         if_id_out = %unique
}

connections {
   mg1-v-zt: conn-defaults {
            remote_addrs = 10.1.0.10
            remote {
                    auth = pubkey
                    id = fqdn:mg1.v.zt
            }
            vips = 0.0.0.0
            children {
                    mg1-v-zt: child-defaults {
                            updown = /etc/swanctl/bin/xfrm-updown dynamic 25.0.0.25
                            start_action = start
                            dpd_action = restart
                            close_action = start
                    }
            }
   }
}

responder side contains no information about the caller, responding with 
the following:

Apr 15 17:35:23 mg1 charon-systemd[14389]: received packet: from 10.1.3.14[500] to 10.1.0.10[500] (296 bytes)
Apr 15 17:35:23 mg1 charon-systemd[14389]: parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr 15 17:35:23 mg1 charon-systemd[14389]: no IKE config found for 10.1.0.10...10.1.3.14, sending NO_PROPOSAL_CHOSEN
Apr 15 17:35:23 mg1 charon-systemd[14389]: generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Apr 15 17:35:23 mg1 charon-systemd[14389]: sending packet: from 10.1.0.10[500] to 10.1.3.14[500] (36 bytes)

after which caller stop:

Apr 15 17:35:23 s4 charon-systemd[3306]: received packet: from 10.1.0.10[500] to 10.1.3.14[500] (36 bytes)
Apr 15 17:35:23 s4 charon-systemd[3306]: parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Apr 15 17:35:23 s4 charon-systemd[3306]: received NO_PROPOSAL_CHOSEN notify error
... nothing more until restart strongswan ...

So the question - how to make calling side try forever regardless of 
what remoteĀ  side responds or do not respond at all?

Thank you.


-- 
Volodymyr Litovka
   "Vision without Execution is Hallucination." -- Thomas Edison

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210415/6f68e432/attachment.html>

More information about the Users mailing list