On 22/06/2017 21:07, Paul Wouters
wrote:
On Thu, 22 Jun 2017, Nick Howitt wrote:
Originally the "roadwarrior" set up was
that one end would never initiate or rekey. This was done with
auto=add and rekey=no, and possibly also setting DPD to clear
(and
implicitly wait for the other end to re-initiate). Somehow a way
must be found again to stop the listening end initiating even if
it means adding a further parameter. I
think that the changes have introduced a significant interop
problem and makes my conn unreliable. I hardly use it but it has
been rekeying for days and I only noticed
it because of the size of the log file. In my case you can even
argue it is rekeying to the wrong IP as right is defined as %any
so should not rekey to a specific IP
address. I am pretty certain changing the behaviour is wrong as
it can potentially break working setups (like mine). To change
the behaviour, really another parameter
should be introduced which defaults to allow the original
behaviour.
A conn with auto=add and rekey=no, not manually changed used the
ipsec
command, should never initiate. If you can gather more detailed
logs
of that event, that would be useful. Is this a 3.21rcX version?
No, it is a vanilla libreswan-3.20-1.el7.x86_64.rpm from your repo.
Ipsec was restarted last week with a "service ipsec restart" (I know
I should use systemctl but it is more typing) as well for this issue
and I don't use manual ipsec commands. I can gather more info if you
tell me what you want. I have the standard logs, but I guess you
want more.
Nick
|
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
