<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<br>
<div class="moz-cite-prefix">On 22/06/2017 21:07, Paul Wouters
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:alpine.LRH.2.21.1706221606001.9587@bofh.nohats.ca">
<br>
On Thu, 22 Jun 2017, Nick Howitt wrote:
<br>
<br>
<blockquote type="cite">Originally the "roadwarrior" set up was
that one end would never initiate or rekey. This was done with
auto=add and rekey=no, and possibly also setting DPD to clear
(and
<br>
implicitly wait for the other end to re-initiate). Somehow a way
must be found again to stop the listening end initiating even if
it means adding a further parameter. I
<br>
think that the changes have introduced a significant interop
problem and makes my conn unreliable. I hardly use it but it has
been rekeying for days and I only noticed
<br>
it because of the size of the log file. In my case you can even
argue it is rekeying to the wrong IP as right is defined as %any
so should not rekey to a specific IP
<br>
address. I am pretty certain changing the behaviour is wrong as
it can potentially break working setups (like mine). To change
the behaviour, really another parameter
<br>
should be introduced which defaults to allow the original
behaviour.
<br>
</blockquote>
<br>
A conn with auto=add and rekey=no, not manually changed used the
ipsec
<br>
command, should never initiate. If you can gather more detailed
logs
<br>
of that event, that would be useful. Is this a 3.21rcX version?
<br>
</blockquote>
No, it is a vanilla libreswan-3.20-1.el7.x86_64.rpm from your repo.
Ipsec was restarted last week with a "service ipsec restart" (I know
I should use systemctl but it is more typing) as well for this issue
and I don't use manual ipsec commands. I can gather more info if you
tell me what you want. I have the standard logs, but I guess you
want more.<br>
<br>
Nick<br>
</body>
</html>