Hi Mirko, > Does that make sense?
It does, thanks for the nice example (I read the man page entry about left|rightallowany but didn't really get it). > Can it be done without code changes? One option is probably to have two configs, one with right=%any and one with right=host.dyndns.org (easy to do with also= or %default). This could result in duplicate SAs, if both start at the same time, but charon recognizes this and will close one of them if uniqueids is set to yes (the default). It should also work with a single config, if you make one of your hosts initiator and one responder. The initiator is configured like you already did: > auto=start > dpdaction=restart > keyingtries=%forever And to recover from a clean shutdown by the responder you also have to specify closeaction=restart, and to make that work properly add reauth=no on the responder side (doesn't hurt if you do that on both sides). The uniqueids option could also be problematic with closeaction=restart so you might have to set it to no on the responder. If you think it takes too long for DPD to kick in if the responder crashes or the delete gets lost, simply change the retransmission behavior [1]. Regards, Tobias [1] http://wiki.strongswan.org/projects/1/wiki/Retransmission _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
