Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Strongswan - increase retransmit_tries from default of 5

    IPsec
    1
    1
    572
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      ay
      last edited by

      I'm using using IPSEC VTI with one side set as responder only, following the docs and forum to mitigate duplicate IPSEC SA entries.

      When there is a provider outage of 5 or more minutes
      (somewhere upstream or in transit - where the local link stays up )
      Some of the initiator sides will log "giving up after 5 retransmits"

      charon	95215	11[IKE] <con3000|9> giving up after 5 retransmits
charon	95215	11[IKE] <con3000|9> retransmit 5 of request with message ID 0

      I have to manually do a reconnect on the IPSEC connection.

      Normally FRR OSPF finds an alternate, but I've noticed more often OSPF learned routes disappearing from the System Routes -- Not necessarily causal or related.
      -- The coincident problems produce a user-noticeable outage.

      Is there a way to increase Strongswan's retries attempts - to at least mask some of the shorter outages?

      I think it is this variable

      StrongSwan.org Wiki -- charon.retransmit_tries

      I found a strongswan.conf file in pfsense under

      /var/etc/ipsec/strongswan.conf
# Automatically generated config file - DO NOT MODIFY. Changes will be overwritten.

      Is there a clean way of inserting

      charon.retransmit_tries = 9

      somewhere else, similar to how

      /boot/loader.conf  and  /boot/loader.conf.local

      coexist?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.