ike-sa: Optionally try to migrate to the best path on routing priority changes

When multihomed, a setup might prefer to dynamically stay on the cheapest
available path by using MOBIKE migrations. If the cheapest path goes away and
comes back, we currently stay on the more expensive path to reduce noise and
prevent potential migration issues. This is usually just fine for links not
generating real cost.

If we have more expensive links in the setup, it can be desirable to always
migrate to the cheapest link available. By setting charon.prefer_best_path,
charon tries to migrate to the path using the highest priority link, allowing
an external application to update routes to indirectly control MOBIKE behavior.
This option has no effect if MOBIKE is unavailable.

1 files changed, 10 insertions, 0 deletions

diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index 6e0b37c57..7c56fc1e5 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -260,6 +260,16 @@ charon.port_nat_t = 4500
 	allocated.  Has to be different from **charon.port**, otherwise a random
 	port will be allocated.
 
+charon.prefer_best_path = no
+	Wether to prefer updating SAs to the path with the best route.
+
+	By default, charon keeps SAs on the routing path with addresses it
+	previously used if that path is still usable. By setting this option to
+	yes, it tries more aggressively to update SAs with MOBIKE on routing
+	priority changes using the cheapest path. This adds more noise, but allows
+	to dynamically adapt SAs to routing priority changes. This option has no
+	effect if MOBIKE is not supported or disabled.
+
 charon.prefer_configured_proposals = yes
 	Prefer locally configured proposals for	IKE/IPsec over supplied ones as
 	responder (disabling this can avoid keying retries due to INVALID_KE_PAYLOAD