'keyingtries' config is not supposed to work for ikev2. But it does
in Libreswan 4 and older. Libreswan 5, however, reworked connection
revival code, and so it is now the only thing that keeps on trying the
connection marked as 'UP', not the 'keyingtries'. v5.3+ complains
about usage of the obsolete config option on stderr:
2026-01-12T12:26:09Z | 294 | ovs-monitor-ipsec | WARN | stderr:
b'ipsec addconn: /etc/ipsec.conf:7:
warning: obsolete keyword ignored: keyingtries=%forever\n'
Avoid setting this option for Libreswan 5+ to silence the warnings
in the log.
For v4 and older 'keyingtries' still provides the re-try behavior, so
keeping it, as it may be dangerous to just rely on revival on these
older versions.
Signed-off-by: Ilya Maximets <[email protected]>
---
ipsec/ovs-monitor-ipsec.in | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in
index 34abdb9e4..3b22765a9 100755
--- a/ipsec/ovs-monitor-ipsec.in
+++ b/ipsec/ovs-monitor-ipsec.in
@@ -417,7 +417,6 @@ conn %default
"""
CONN_CONF_BASE = """\
- keyingtries=%forever
type=transport
auto=route
"""
@@ -494,6 +493,8 @@ conn prevent_unencrypted_vxlan
# With v5, LibreSWAN removed the auto command, however, it is
# still required for older versions
self.IPSEC_AUTO.append("auto")
+ # keyingtries is obsolete in v5 and has no effect.
+ self.CONN_CONF_BASE += " keyingtries=%forever\n"
if version >= 4:
ipsec_d = args.ipsec_d if args.ipsec_d else "/var/lib/ipsec/nss"
--
2.52.0
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
