path: root/conf
diff options
authorMartin Willi <martin@strongswan.org>2016-10-10 15:59:52 +0200
committerMartin Willi <martin@strongswan.org>2017-02-17 11:19:38 +0100
commit597e8c9e009946c994fcba525bacc647f46bae60 (patch)
treeb7635493277c2057218df5165bc77f11e8a94b0e /conf
parentbe27e76869fe58d17ade1cf6d5a84926ce994ef1 (diff)
ike-sa: Optionally try to migrate to the best path on routing priority changes
When multihomed, a setup might prefer to dynamically stay on the cheapest available path by using MOBIKE migrations. If the cheapest path goes away and comes back, we currently stay on the more expensive path to reduce noise and prevent potential migration issues. This is usually just fine for links not generating real cost. If we have more expensive links in the setup, it can be desirable to always migrate to the cheapest link available. By setting charon.prefer_best_path, charon tries to migrate to the path using the highest priority link, allowing an external application to update routes to indirectly control MOBIKE behavior. This option has no effect if MOBIKE is unavailable.
Diffstat (limited to 'conf')
1 files changed, 10 insertions, 0 deletions
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index 6e0b37c57..7c56fc1e5 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -260,6 +260,16 @@ charon.port_nat_t = 4500
allocated. Has to be different from **charon.port**, otherwise a random
port will be allocated.
+charon.prefer_best_path = no
+ Wether to prefer updating SAs to the path with the best route.
+ By default, charon keeps SAs on the routing path with addresses it
+ previously used if that path is still usable. By setting this option to
+ yes, it tries more aggressively to update SAs with MOBIKE on routing
+ priority changes using the cheapest path. This adds more noise, but allows
+ to dynamically adapt SAs to routing priority changes. This option has no
+ effect if MOBIKE is not supported or disabled.
charon.prefer_configured_proposals = yes
Prefer locally configured proposals for IKE/IPsec over supplied ones as
responder (disabling this can avoid keying retries due to INVALID_KE_PAYLOAD