Tobias Brunner wrote: > > > That could be the case, thanks for the hint. Strongswan could have made 3 > > attempts after detecing a dead peer and given up, is that what you > > imply? > > Yes. > > > What's the timeout between keyingtries? > > No timeout between them, regular retransmission timeouts apply for each > attempt. > > > And why is > > `keyingtries=%forever` not the default? > > Who knows, legacy reasons maybe (on the other hand, the default is 1 now > with swanctl.conf). > > > Is there no need for `keyingtries=%forever` in the `auto=route` mode? > > Further traffic will trigger another acquire (it might even cause > duplicate SAs if a retry occurs while traffic triggers another acquire > from the kernel).
Thank you very much Tobias, I've learned a lot from this conversation. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/
signature.asc
Description: PGP signature
