On Mon, Sep 17, 2012 at 6:51 PM, Richard Andrews
wrote:
> If you have the default of reauth=yes then the IKE SA must be completely
> shut down (and all child SAs) while IKE is restarted. This leads to a
> short period where no child SAs are able to carry traffic.
>
> I suggest you try the same tes
If you have the default of reauth=yes then the IKE SA must be completely
shut down (and all child SAs) while IKE is restarted. This leads to a
short period where no child SAs are able to carry traffic.
I suggest you try the same test with ikeliftime=10min (lifetime=30s) and
verify this is the issu
On Mon, Sep 17, 2012 at 5:23 PM, Diego Woitasen wrote:
> Hi,
> I'm testing my Strongswan installation and I discover that I have
> packet loss on rekeying. I set this values to reproduce the problem:
>
> ikelifetime=60s
> lifetime=30s
> rekeymargin=20s
> rekeyfuzz=0%
>
> And every time a rekey ap
Hi,
I'm testing my Strongswan installation and I discover that I have
packet loss on rekeying. I set this values to reproduce the problem:
ikelifetime=60s
lifetime=30s
rekeymargin=20s
rekeyfuzz=0%
And every time a rekey appears in the log file, some packets are lost
(testing with ping -A -c 100
On 09/17/2012 01:46 PM, Martin Willi wrote:
> Hi,
>
>> Testwise, I created a new CA with the ipsec pki tool according to your
>> wiki page (Mac + IKEv1). (My old CA is done with TinyCA).
>> With those certificates I get the same result as for the revobox setup,
>> but still no connection on Mountai
Hi,
> Testwise, I created a new CA with the ipsec pki tool according to your
> wiki page (Mac + IKEv1). (My old CA is done with TinyCA).
> With those certificates I get the same result as for the revobox setup,
> but still no connection on Mountain Lion or Lion.
It seems that installing .mobileco
On 09/06/2012 03:04 PM, Claude Tompers wrote:
> On 09/06/2012 12:20 PM, Martin Willi wrote:
>> Claude,
>>
>>> The other Mountain Lion had the exact same behaviour as mine (also
>>> 10.8.1),
>> Strange, as my 10.8.1 works just fine.
>>
>>> the one with Lion installed 'only' complained about not bein
Hi Hyun,
On 17.09.2012 06:24, Yoo Hyun wrote:
> Thank you, Andreas
>
> I have one more question..
>
> Why check inbound traffic after decryption?
>
> I think firewall can control traffic.
>
Section 4.4.1 "The Security Policy Database (SPD)" of IPsec
RFC 4301 mandates the enforcement of the IPse
Hi Tobias,
that fixes the problem for us.
Thanks for the quick fix
Gerald
> -Original Message-
> From: users-bounces+richter=ecos...@lists.strongswan.org [mailto:users-
> bounces+richter=ecos...@lists.strongswan.org] On Behalf Of Tobias
> Brunner
> Sent: Friday, September 07, 2012 6:17