From 597e8c9e009946c994fcba525bacc647f46bae60 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Mon, 10 Oct 2016 15:59:52 +0200 Subject: ike-sa: Optionally try to migrate to the best path on routing priority changes When multihomed, a setup might prefer to dynamically stay on the cheapest available path by using MOBIKE migrations. If the cheapest path goes away and comes back, we currently stay on the more expensive path to reduce noise and prevent potential migration issues. This is usually just fine for links not generating real cost. If we have more expensive links in the setup, it can be desirable to always migrate to the cheapest link available. By setting charon.prefer_best_path, charon tries to migrate to the path using the highest priority link, allowing an external application to update routes to indirectly control MOBIKE behavior. This option has no effect if MOBIKE is unavailable. --- conf/options/charon.opt | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'conf') diff --git a/conf/options/charon.opt b/conf/options/charon.opt index 6e0b37c57..7c56fc1e5 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -260,6 +260,16 @@ charon.port_nat_t = 4500 allocated. Has to be different from **charon.port**, otherwise a random port will be allocated. +charon.prefer_best_path = no + Wether to prefer updating SAs to the path with the best route. + + By default, charon keeps SAs on the routing path with addresses it + previously used if that path is still usable. By setting this option to + yes, it tries more aggressively to update SAs with MOBIKE on routing + priority changes using the cheapest path. This adds more noise, but allows + to dynamically adapt SAs to routing priority changes. This option has no + effect if MOBIKE is not supported or disabled. + charon.prefer_configured_proposals = yes Prefer locally configured proposals for IKE/IPsec over supplied ones as responder (disabling this can avoid keying retries due to INVALID_KE_PAYLOAD -- cgit v1.2.3