Hi Emeric, On 08/04/2014 10:25 AM, Emeric POUPON wrote: > Hello, > > Thanks for your answer. > Here is the configuration on the responder (which is in HA mode): > > ----- > conn %default > ikelifetime=360m > keylife=60m > rekeymargin=3m > keyingtries=1 > keyexchange=ikev2 > authby=secret > > conn sample-psk-3k > left=172.18.0.53 > leftid=srv.strongswan.org > leftsubnet=172.53.0.0/16 > right=%any > auto=add > esp=aes128-sha1-modp2048 > ike=aes128-sha1-modp2048 > ----
With this configuration, the race condition I was talking about will not occur. > On the passive node I can see some lines that like: > ... > (unnamed)[24]: CONNECTING, %any[%any]...%any[%any] > (unnamed)[24]: IKEv2 SPIs: dce7d8aa449c06ea_i 312cbeb706504d9d_r* > (unnamed)[24]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1 > (unnamed)[23]: CONNECTING, %any[%any]...%any[%any] > (unnamed)[23]: IKEv2 SPIs: 090d4aa0884fd214_i 7ed0a8f6e8581328_r* > (unnamed)[23]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1 > ... I guess you will have to manually check the log files on both ends (active and passive) to see what gets sent and received by the HA nodes. This way you can find out whether the missing SAs are not sent by your active node or your passive node has problems with it. Judging from your config your passive node's charon should not have problems to find appropriate configurations. Cheers, Thomas _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
