[strongSwan] Caller session management: retry forever
Volodymyr Litovka
doka at funlab.cc
Fri Apr 16 09:05:34 CEST 2021
Hi again,
and charon.conf contains the following:
root at s4:~# cat /etc/strongswan.d/charon.conf |egrep -v "#|^$"
charon {
close_ike_on_child_failure = yes
dlopen_use_rtld_now = yes
half_open_timeout = 10
inactivity_close_ike = yes
install_routes = no
install_virtual_ip = no
load_modular = yes
make_before_break = yes
retransmit_base = 1.8
retransmit_limit = 45
retransmit_timeout = 3
retransmit_tries = 3
retry_initiate_interval = 10
}
Despite retry_initiate_interval, caller never try to repeat connection
after NO_PROP failure.
Any ideas what I'm missing?
Thank you.
On 15.04.2021 21:57, Volodymyr Litovka wrote:
>
> Hi colleagues,
>
> is there a way to retry connect on receiving NO_PROPOSAL_CHOSEN from
> the peer? At the moment, I have the following configuration on the
> calling side -
>
> conn-defaults {
> version = 2
> proposals = aes256gcm16-prfsha384-ecp384
> local_addrs = 10.1.3.14
> encap = yes
> fragmentation = yes
> mobike = no
> send_certreq = yes
> send_cert = always
> dpd_delay = 15s
> rekey_time = 3h
> unique = keep
> keyingtries = 0
> local {
> auth = pubkey
> id = fqdn:s4.v.zt
> }
> }
>
> child-defaults {
> ah_proposals =
> esp_proposals = aes192gcm16-aes256gcm16-ecp256
> local_ts = 0.0.0.0/0
> remote_ts = 0.0.0.0/0
> rekey_time = 1h
> mode = tunnel
> ipcomp = no
> tfc_padding = 256
> if_id_in = %unique
> if_id_out = %unique
> }
>
> connections {
> mg1-v-zt: conn-defaults {
> remote_addrs = 10.1.0.10
> remote {
> auth = pubkey
> id = fqdn:mg1.v.zt
> }
> vips = 0.0.0.0
> children {
> mg1-v-zt: child-defaults {
> updown = /etc/swanctl/bin/xfrm-updown dynamic 25.0.0.25
> start_action = start
> dpd_action = restart
> close_action = start
> }
> }
> }
> }
>
> responder side contains no information about the caller, responding
> with the following:
>
> Apr 15 17:35:23 mg1 charon-systemd[14389]: received packet: from 10.1.3.14[500] to 10.1.0.10[500] (296 bytes)
> Apr 15 17:35:23 mg1 charon-systemd[14389]: parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Apr 15 17:35:23 mg1 charon-systemd[14389]: no IKE config found for 10.1.0.10...10.1.3.14, sending NO_PROPOSAL_CHOSEN
> Apr 15 17:35:23 mg1 charon-systemd[14389]: generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
> Apr 15 17:35:23 mg1 charon-systemd[14389]: sending packet: from 10.1.0.10[500] to 10.1.3.14[500] (36 bytes)
>
> after which caller stop:
>
> Apr 15 17:35:23 s4 charon-systemd[3306]: received packet: from 10.1.0.10[500] to 10.1.3.14[500] (36 bytes)
> Apr 15 17:35:23 s4 charon-systemd[3306]: parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
> Apr 15 17:35:23 s4 charon-systemd[3306]: received NO_PROPOSAL_CHOSEN notify error
> ... nothing more until restart strongswan ...
>
> So the question - how to make calling side try forever regardless of
> what remoteĀ side responds or do not respond at all?
>
> Thank you.
>
>
> --
> Volodymyr Litovka
> "Vision without Execution is Hallucination." -- Thomas Edison
--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210416/44a36652/attachment.html>
More information about the Users
mailing list