Strongswan - increase retransmit_tries from default of 5
-
I'm using using IPSEC VTI with one side set as responder only, following the docs and forum to mitigate duplicate IPSEC SA entries.
When there is a provider outage of 5 or more minutes
(somewhere upstream or in transit - where the local link stays up )
Some of the initiator sides will log "giving up after 5 retransmits"charon 95215 11[IKE] <con3000|9> giving up after 5 retransmits charon 95215 11[IKE] <con3000|9> retransmit 5 of request with message ID 0I have to manually do a reconnect on the IPSEC connection.
Normally FRR OSPF finds an alternate, but I've noticed more often OSPF learned routes disappearing from the System Routes -- Not necessarily causal or related.
-- The coincident problems produce a user-noticeable outage.Is there a way to increase Strongswan's retries attempts - to at least mask some of the shorter outages?
I think it is this variable
StrongSwan.org Wiki -- charon.retransmit_tries
I found a strongswan.conf file in pfsense under
/var/etc/ipsec/strongswan.conf # Automatically generated config file - DO NOT MODIFY. Changes will be overwritten.Is there a clean way of inserting
charon.retransmit_tries = 9somewhere else, similar to how
/boot/loader.conf and /boot/loader.conf.localcoexist?