diff options
| author | Ansis Atteka <aatteka@nicira.com> | 2013-09-22 21:21:39 -0700 |
|---|---|---|
| committer | Martin Willi <martin@revosec.ch> | 2013-09-23 10:45:14 +0200 |
| commit | 255b9dac5dd4ef01574481beab53c12d1fb11b1b (patch) | |
| tree | 2e14cbcd29a11a2b3ded77dc1ff32aca01f94512 /man/strongswan.conf.5.in | |
| parent | 2c4d772a79420b5fb606545be5f74e920c32464c (diff) | |
| download | strongswan-255b9dac5dd4ef01574481beab53c12d1fb11b1b.tar.bz2 strongswan-255b9dac5dd4ef01574481beab53c12d1fb11b1b.tar.xz | |
kernel-netlink: Allow to override xfrm_acq_expires value
When using auto=route, current xfrm_acq_expires default value
implies that tunnel can be down for up to 165 seconds, if
other peer rejected first IKE request with an AUTH_FAILED or
NO_PROPOSAL_CHOSEN error message. These error messages are
completely normal in setups where another application
pushes configuration to both strongSwans without waiting
for acknowledgment that they have updated their configurations.
This patch allows strongswan to override xfrm_acq_expires default
value by setting charon.plugins.kernel-netlink.xfrm_acq_expires in
strongswan.conf.
Signed-off-by: Ansis Atteka <aatteka@nicira.com>
Diffstat (limited to 'man/strongswan.conf.5.in')
| -rw-r--r-- | man/strongswan.conf.5.in | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in index 9ee82f594..ff7d8ef58 100644 --- a/man/strongswan.conf.5.in +++ b/man/strongswan.conf.5.in @@ -626,6 +626,11 @@ Set MTU of ipsecN device .BR charon.plugins.kernel-netlink.roam_events " [yes]" Whether to trigger roam events when interfaces, addresses or routes change .TP +.BR charon.plugins.kernel-netlink.xfrm_acq_expires " [165]" +Lifetime of XFRM acquire state in kernel, value gets written to +/proc/sys/net/core/xfrm_acq_expires. Indirecly controls the delay of XFRM +acquire messages sent. +.TP .BR charon.plugins.kernel-pfroute.vip_wait " [1000]" Time in ms to wait until virtual IP addresses appear/disappear before failing. .TP |