I can't remember what was the option but I know I used it to avoid multiple updown running in parallel for the same peer.
Try changing make_before_break to avoid overlapping child_sa, or adjust the time of idle child_sa to expire faster. On Mon, Mar 9, 2020 at 11:43 PM Victor Sudakov <[email protected]> wrote: > Victor Sudakov wrote: > > Felipe Polanco wrote: > > > > Does this not cause excessive SAs piling up? I've seen a similar > > > > problem with Strongswan on my side and a MikroTik on the remote side: > > > > too many excessive SAs in "ipsec status" output and in MikroTik's > > > > management console. > > > > > > > > My theory was that each trapped packet causes a new SA to be > > > > attempted/generated until some limit is hit or some resource is > > > > exhausted. > > > Haven't seen that issue. > > > > > > But you should use reuse_ike SA and reuse_child SA, that avoids > duplicates > > > SA for phase one and phase two. > > > > > > > What's their equivalent in the old (ipsec.conf) syntax? I could not find > > them in ipsec.conf(5) > > There is charon.reuse_ikesa (default already "yes") in > strongswan.conf(5) but no "reuse_child" even there. > > -- > Victor Sudakov, VAS4-RIPE, VAS47-RIPN > 2:5005/49@fidonet http://vas.tomsk.ru/ >
