2f3c08d268
When charon rekeys a CHILD_SA after a soft limit expired, it is only deleted after the hard limit is reached. In case of packet/byte limits this may not be the case for a long time since the packets/bytes are usually sent using the new SA. This may result in a very large number of stale CHILD_SAs and kernel states. With enough connections configured this will ultimately exhaust the memory of the system. This patch adds a strongswan.conf setting that, if enabled, causes the old CHILD_SA to be deleted by the initiator after a successful rekeying. Enabling this setting might create problems with implementations that continue to use rekeyed SAs (e.g. if the DELETE notify is lost). |
||
---|---|---|
.. | ||
options | ||
plugins | ||
.gitignore | ||
Makefile.am | ||
default.opt | ||
format-options.py | ||
strongswan.conf | ||
strongswan.conf.5.head.in | ||
strongswan.conf.5.tail.in |