[Swan] Retransmit interval
Tuomo Soini
tis at foobar.fi
Mon Jun 19 07:39:40 UTC 2017
On Mon, 19 Jun 2017 00:50:36 +0300
Bob Cribbs <bob.cribbs at policystat.com> wrote:
> I've tried the changes you suggested, but the result is still the
> same.
>
> In the conn config, I've added retransmit-timeout and
> retransmit-interval. ```
> conn customer
> auto=start
> authby=secret
> dpddelay=40
> dpdtimeout=120
> dpdaction=restart
> pfs=yes
> ike=aes256-sha1
> phase2alg=aes256-sha1
> left=%defaultroute
> leftid=184.X.X.X
> leftsourceip=184.X.X.X
> leftsubnet=184.X.X.X/32
> right=64.Y.Y.Y
> rightid=64.Y.Y.Y
> rightsubnet=128.B.B.B/32
> retransmit-timeout=40
> retransmit-interval=2000
You have 2 seconds retransmit-interval now and you'd
want something like 20 seconds. So use 20000.
But the real issue is remote is sending delete sa always.
Receiving delete SA causes immediate retry. Before there was 60+10s
delay before new initiation - but that caused 70 seconds ipsec
initiation delay for example when remote one restarted.
--
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
More information about the Swan
mailing list