Hi, Check your DPD settings, I have seen that incorrect setting on this cause multiple SAs to be created.
Thanks, On Wed, Mar 6, 2019 at 5:57 AM James Masson <[email protected]> wrote: > Hi list, > > I've got a working configuration for a collection of servers using > transport mode to encrypt only a subset of ports, using strongswan 5.7.2-1 . > > However, it seems suboptimal, because the servers are generating and > deleting new SAs every few seconds - I presume for every client port <> > server port pair ? The traffic on these ports is UDP, so there would be > massive overhead in doing this. > > Logs/config/SAs - > https://gist.github.com/james-masson/347bcdab80c93c83dfc68f111a5cb472 > > Can anybody point out a flaw in or improvements to my config? > > To be clear, I'm after a config that does crypto negotiation once per IP > pair, but only encrypts traffic to/from a particular set of ports. > > thanks > > James M > >
