2f3c08d268
When charon rekeys a CHILD_SA after a soft limit expired, it is only deleted after the hard limit is reached. In case of packet/byte limits this may not be the case for a long time since the packets/bytes are usually sent using the new SA. This may result in a very large number of stale CHILD_SAs and kernel states. With enough connections configured this will ultimately exhaust the memory of the system. This patch adds a strongswan.conf setting that, if enabled, causes the old CHILD_SA to be deleted by the initiator after a successful rekeying. Enabling this setting might create problems with implementations that continue to use rekeyed SAs (e.g. if the DELETE notify is lost). |
||
---|---|---|
.. | ||
aikgen.opt | ||
attest.opt | ||
charon-logging.opt | ||
charon-systemd.opt | ||
charon.opt | ||
imcv.opt | ||
imv_policy_manager.opt | ||
manager.opt | ||
medsrv.opt | ||
pacman.opt | ||
pki.opt | ||
pool.opt | ||
scepclient.opt | ||
starter.opt | ||
swanctl.opt | ||
tnc.opt |