kernel-netlink: Allow to override xfrm_acq_expires value
authorAnsis Atteka <aatteka@nicira.com>
Mon, 23 Sep 2013 04:21:39 +0000 (21:21 -0700)
committerMartin Willi <martin@revosec.ch>
Mon, 23 Sep 2013 08:45:14 +0000 (10:45 +0200)
commit255b9dac5dd4ef01574481beab53c12d1fb11b1b
tree2e14cbcd29a11a2b3ded77dc1ff32aca01f94512
parent2c4d772a79420b5fb606545be5f74e920c32464c
kernel-netlink: Allow to override xfrm_acq_expires value

When using auto=route, current xfrm_acq_expires default value
implies that tunnel can be down for up to 165 seconds, if
other peer rejected first IKE request with an AUTH_FAILED or
NO_PROPOSAL_CHOSEN error message. These error messages are
completely normal in setups where another application
pushes configuration to both strongSwans without waiting
for acknowledgment that they have updated their configurations.

This patch allows strongswan to override xfrm_acq_expires default
value by setting charon.plugins.kernel-netlink.xfrm_acq_expires in
strongswan.conf.

Signed-off-by: Ansis Atteka <aatteka@nicira.com>
man/strongswan.conf.5.in
src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c