Hi Jens, > But after hours/days I have "hundreds" of these tunnels and they are > getting more and more until I restart the deamon (on the client). > > Why does this happen? > > What would be the correct dpdaction or closeaction (if this is the problem).
If the connection is closed or the peer is not reachable anymore and the existing SAs are recreated, there won't be any IPsec SA installed in the kernel for a while. Due to the trap policies (auto=route) another CHILD_SA might be triggered if matching traffic is sent by the client. If this happens multiple times, more and more CHILD_SAs will be (re-)created. So with auto=route setting the above options to 'clear' is currently better (however, note that the SAs will then only be recreated once the client sends matching traffic). The same can happen if trap policies are used with break-before-make reauthentication (the default when using ipsec.conf, see [1]), so maybe using reauth=no is also a good idea (or switching to make-before-break reauthentication if the peer supports it). Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey
