On Tue, 3 Mar 2020, Paul Wouters wrote:
Current shunt handling cannot deal with this, as the second keyingtries sometimes tries to install a second shunt, which sometimes “works” due to not being widened. This is causing customer issues that at resolved by setting it to 0.
I meant "resolved by setting it to 1".
It is also unclear which if any shunt should be installed during keyingtries > 1 Also, if your mesh is symmetric, it doesn’t actually help to try infinitely against a host that doesn’t have it. If that host gains it, the first plaintext will trigger that host to do OE, so there isn’t a delay in not having keyingtries=0 - you gain nothing from the infinite attempts.
Since there might be a better recovery for "private" conns with more than 1 keyingtries, I changed it so that only keyingtries=0 is changed to 1. If it is larger than 1, we leave it untouched. However, note that this currently will run into shunt issues, so I do not recommend it now. Paul _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
