Comments (3)
Note it is not convenient to use {start,dpd,close}_action = trap to delay IKE SA renegotiation, as it is less reliable (in contrary with documentation!) than {start,dpd,close}_action
That is wrong. using "start" does not renegotiate the CHILD_SA if it is explicitely closed by any of the peers and none of the peers negotiate a new one.
from strongswan.
That is wrong. using "start" does not renegotiate the CHILD_SA if it is explicitely closed by any of the peers and none of the peers negotiate a new one.
Fortunately not. I have tested it quite extensively before creating this feature request (strongSwan 5.9.1). Combination of {start,dpd,close}_action = start
, or probably at least close_action = start
, ensures immediate IKE SA and child SA renegotiation if the opposite peer closes child or even IKE SA cleanly (e.g. swanctl -t -{c|i} ...
or clean strongSwan shutdown). And with keyingtries = 0
, it repeats the renegotiation until it succeeds. Without this being true, I would have created a more important feature request :-)
I have been using {start,dpd,close}_action = trap
exclusively for long time trusting the note in documentation. But if you have a device behind NAT and only want to make it remotely accessible via an IPsec tunnel, I believe {start,dpd,close}_action = start
to be the only solution: such a device never sends a packet to the tunnel just on its own behalf (which would trigger the trap policy).
from strongswan.
Okay, sure, we can implement that. But it costs much more money to implement that than to just eat up the carrier charges, or optimize that first.
from strongswan.
Related Issues (20)
- no NDK aarch64-linux-android-gcc on $PATH at (eval 10) line 142. HOT 3
- Add ssl=on parameter to mysql plugin. HOT 6
- FORTIFY: pthread_mutex_lock called on a destroyed mutex HOT 1
- charon-systemd Preemptively Exiting on Kernel alg Debugging Messages HOT 1
- segfault when compiled with leak-detective enabled and systemd >=254 HOT 3
- potential automatic mangle rules issues w.r.t. mark_in and mark_out settings HOT 3
- StrongSwan 6 beta 5 | Failed to generate a common proposal even though there is an acceptable choice HOT 3
- StrongSwan 6 Beta 5 integration with liboqs 0.9.1 | Getting error "negotiated key exchange method KYBER_L3 not supported" HOT 2
- Allow comparing connection/child configuration with reported status HOT 1
- Restart router A. The process is successfully started and the configuration parameters are correct. However, the connection to IPsec server B fails. HOT 1
- Incomplete logging of log messages containing newlines when using `swanctl --initiate --loglevel 3/4` HOT 1
- Support systemd socket activation for charon HOT 3
- swanctl listing wrong data HOT 4
- Running suite 'rsa' hangs HOT 1
- Can't connect to StrongSwan VPN with Android 14 native client
- X509v3 Name Constraints incorrectly required on subordinate CAs in chain HOT 6
- StrongSwan Android 2.5.0 Start/Stop Profile Intent profile not found HOT 5
- Restoring EAP-TTLS (and PEAP) support on Android HOT 9
- F-Droid can't build HOT 6
- SecurityException for SCHEDULE_EXACT_ALARM HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from strongswan.