Hello Fabrice, On 04.03.2011 08:43, CETIAD - Fabrice Barconnière wrote: >>> In the past usually two IKE_SAs and corresponding CHILD_SAs were >>> established and maintained over all subsequent rekeyings. This is >>> not harmful per se but creates twice the number of tunnels. I have >>> to check if the the INITIAL_CONTACT notification introduced with >>> strongSwan 4.5.1 has changed this behaviour. >>> >> This is indeed the case. With 4.5.1 you get: >> >> Mar 3 22:13:18 moon charon: >> 03[IKE] deleting duplicate IKE_SA for peer 'sun.strongswan.org' due to >> uniqueness policy >> 03[IKE] deleting IKE_SA net-net[1] between >> 192.168.0.1[moon.strongswan.org]...192.168.0.2[sun.strongswan.org] >> > So it's better to keep 0 on one side and 2 on the other and execute when > restart ipsec or reboot "ipsec up" for each peer_configs on the gateway > where start_action=0.
No, what I wanted say is that you can set start_action=2 on both sides because duplicate tunnels now get deleted with strongSwan 4.5.1. Regards Andreas ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
