Hi, I don't have any DPD params set, as the example trap-any doesn't have them either.
I see a new IKE_SA initiation every 5 seconds! Thanks James M On Wed, 6 Mar 2019, 3:04 pm Felipe Arturo Polanco, <[email protected]> wrote: > Hi, > > Check your DPD settings, I have seen that incorrect setting on this cause > multiple SAs to be created. > > Thanks, > > On Wed, Mar 6, 2019 at 5:57 AM James Masson <[email protected]> > wrote: > >> Hi list, >> >> I've got a working configuration for a collection of servers using >> transport mode to encrypt only a subset of ports, using strongswan 5.7.2-1 . >> >> However, it seems suboptimal, because the servers are generating and >> deleting new SAs every few seconds - I presume for every client port <> >> server port pair ? The traffic on these ports is UDP, so there would be >> massive overhead in doing this. >> >> Logs/config/SAs - >> https://gist.github.com/james-masson/347bcdab80c93c83dfc68f111a5cb472 >> >> Can anybody point out a flaw in or improvements to my config? >> >> To be clear, I'm after a config that does crypto negotiation once per IP >> pair, but only encrypts traffic to/from a particular set of ports. >> >> thanks >> >> James M >> >>
