Hi, > rekeymargin=1s
At least for productive setups, you definitely should avoid such short margins. Not unlikely that rekeying does not complete within that second. The kernel then triggers a delete before the SA has been rekeyed. > If I send some trafic in order to trigger the SP, I get a SADB_ACQUIRE > message from the kernel but strongswan complains there is no trap set. > > This sounds like a bug, I mean 'start' would imply 'route'. But maybe I > missed something? No, "start" does not imply "route". It just negotiates the tunnel, but removes any IPsec policy if it is closed. Only with "route" you'll get persistent trap policies. Unfortunately, there is no "start+route", hence you'll have to stick with "route". That does not trigger the tunnel immediately if there is no traffic, but this is usually not a problem. If you instantly need that tunnel, you'll have to trigger it manually, for example with "ipsec up" or by generating matching traffic. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
