On Mon, 19 Jun 2017 00:50:36 +0300 Bob Cribbs <bob.cri...@policystat.com> wrote:
> I've tried the changes you suggested, but the result is still the > same. > > In the conn config, I've added retransmit-timeout and > retransmit-interval. ``` > conn customer > auto=start > authby=secret > dpddelay=40 > dpdtimeout=120 > dpdaction=restart > pfs=yes > ike=aes256-sha1 > phase2alg=aes256-sha1 > left=%defaultroute > leftid=184.X.X.X > leftsourceip=184.X.X.X > leftsubnet=184.X.X.X/32 > right=64.Y.Y.Y > rightid=64.Y.Y.Y > rightsubnet=128.B.B.B/32 > retransmit-timeout=40 > retransmit-interval=2000 You have 2 seconds retransmit-interval now and you'd want something like 20 seconds. So use 20000. But the real issue is remote is sending delete sa always. Receiving delete SA causes immediate retry. Before there was 60+10s delay before new initiation - but that caused 70 seconds ipsec initiation delay for example when remote one restarted. -- Tuomo Soini <t...@foobar.fi> Foobar Linux services +358 40 5240030 Foobar Oy <http://foobar.fi/> _______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
