On Thu, 22 Jun 2017, Nick Howitt wrote:
Originally the "roadwarrior" set up was that one end would never initiate or rekey. This was done with auto=add and rekey=no, and possibly also setting DPD to clear (and implicitly wait for the other end to re-initiate). Somehow a way must be found again to stop the listening end initiating even if it means adding a further parameter. I think that the changes have introduced a significant interop problem and makes my conn unreliable. I hardly use it but it has been rekeying for days and I only noticed it because of the size of the log file. In my case you can even argue it is rekeying to the wrong IP as right is defined as %any so should not rekey to a specific IP address. I am pretty certain changing the behaviour is wrong as it can potentially break working setups (like mine). To change the behaviour, really another parameter should be introduced which defaults to allow the original behaviour.
A conn with auto=add and rekey=no, not manually changed used the ipsec command, should never initiate. If you can gather more detailed logs of that event, that would be useful. Is this a 3.21rcX version? Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
