Hello Tobias, Le 30/11/2017 à 18:16, Tobias Brunner a écrit : > Hi, > > Combining reauthentication with closeaction=restart is a bad idea. Note > that reauth=no does not disable reauthentication if the other peer has > reauth=yes configured, see [1].
Yes, I removed the reauth=no option. It had been kept here because it was a "good" option to avoid packet losses when reauthenticating, but then we discovered the "make_before_break" that had seemed to solve our problems. And reading the "closeaction" documentation shows that adding it to our configuration was not our smartest move : I guess that our client tried to restart the connection when it received a legit CLOSE action, as it's the normal behavior when renewing, but then there was two parallel attempts, which is not a good thing and might have caused our problem. I just applied these new settings and restarted StrongSwan, I'll keep you posted. Thanks ! > > Regards, > Tobias > > [1] > https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey#IKEv2-Responder-Behavior > >
signature.asc
Description: OpenPGP digital signature
