[Swan] Routes dropping
Paul Wouters
paul at nohats.ca
Thu Jun 22 20:07:08 UTC 2017
On Thu, 22 Jun 2017, Nick Howitt wrote:
> Originally the "roadwarrior" set up was that one end would never initiate or rekey. This was done with auto=add and rekey=no, and possibly also setting DPD to clear (and
> implicitly wait for the other end to re-initiate). Somehow a way must be found again to stop the listening end initiating even if it means adding a further parameter. I
> think that the changes have introduced a significant interop problem and makes my conn unreliable. I hardly use it but it has been rekeying for days and I only noticed
> it because of the size of the log file. In my case you can even argue it is rekeying to the wrong IP as right is defined as %any so should not rekey to a specific IP
> address. I am pretty certain changing the behaviour is wrong as it can potentially break working setups (like mine). To change the behaviour, really another parameter
> should be introduced which defaults to allow the original behaviour.
A conn with auto=add and rekey=no, not manually changed used the ipsec
command, should never initiate. If you can gather more detailed logs
of that event, that would be useful. Is this a 3.21rcX version?
Paul
More information about the Swan
mailing list