> Because with NAT the sport can be different anyways (due to the NAT) and > with non-NAT the port 500 seems to be configurable in strongswan.
The initiators source port might be any, as a NAT device might map port 500 and also port 4500 to different ports. > Is the port 4500 also configurable? There are the left/rightikeport options supported via the special socket-dynamic plugin as initiator. But it is not recommended unless you know exactly what you are doing. Port floating/non-ESP markers are not really defined in IKEv2 with custom ports. > rekey = yes is important, or otherwise my connections will be closed after > the end of the key lifetime. Rekeying establishes fresh keys for the IKE_SA. If you set rekey=no, you'll use the same keys as long as the IKE_SA is alive. > reauth = yes means just that if a rekey happens, than the authentication > (e.g. via certificates) is also re-done. Yes. > Mhh ok,.. yeah,.. perhaps with one exception, that one peer looses his > credentials (the cert) completely, or it expires?! Yes. > btw: is there some bug-tracker for strongswan, where one could hook up > such issues in order to allow end users (like me) to some how trace these > things better? Our Redmine Wiki has an issue tracking system [1]. Regards Martin [1]http://wiki.strongswan.org/projects/strongswan/issues _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
