On Mon, 11 Feb 2019, Kostya Vasilyev wrote:
I don't have salifetime in my libreswan config.
Odd, then things are triggered by the remote. Maybe it fails partially
and we then try ourselves?
Yep seen this - usually after 5 minutes it seems.
That's odd. Maybe there is a continuous failure happening while there
are existing SA's, and these failures take a while to resolve, then
replace the existing one but cause another round of failures that take
5 minutes to resolve? We'd have to see more logs for that to confirm.
I just tried to change libreswan to auto=ignore so that conns are only
initiated by the client.
auto=ignore means "do not load the connection at all". You want
"auto=add" for "load the connection and let them initiate to us"
Now when libreswan initiated (and it connected just fine) the "capabilities"
(???) were somewhat different:
Feb 11 21:11:44 kman.mobi pluto[14199]: "mytunnel" #2: initiating Quick Mode
RSASIG+ENCRYPT+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1
msgid:7f30139f proposal=AES_CBC_128-HMAC_SHA2_256_128-MODP2048 pfsgroup=MODP2048}
Both ends can suggest what they want. Both parties find the mutual set
of parameters acceptable to both.
Does "auto=ignore" completely ignore a peer's config section?
Yes. It's like you have no configuration :)
I also tried "auto=add", same thing or almost.
That should work.
What's the setting then (can't find it in the docs) to set libreswan to not
initiate but have the peer config be ready to go - when the other side
initiates?
auto=add
Paul
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
