Hi list, I've got a working configuration for a collection of servers using transport mode to encrypt only a subset of ports, using strongswan 5.7.2-1 .
However, it seems suboptimal, because the servers are generating and deleting new SAs every few seconds - I presume for every client port <> server port pair ? The traffic on these ports is UDP, so there would be massive overhead in doing this. Logs/config/SAs - https://gist.github.com/james-masson/347bcdab80c93c83dfc68f111a5cb472 Can anybody point out a flaw in or improvements to my config? To be clear, I'm after a config that does crypto negotiation once per IP pair, but only encrypts traffic to/from a particular set of ports. thanks James M
