Issue #1383
How to limit the amount of the installed Child_SAs
Description
Hi,
I want limit the amount of the installed Child_SAs. For instance, I'd like to set the max number of installed Child_SAs is "20", and ignore the "rekeyed" Child_SAs, if the number of installed Child_SAs is already "20", new installed Child_SA can't established. Is there any parameter can do this easily? If not, is there any sample way to implement the requirement? Thanks.
History
#1 Updated by Tobias Brunner over 5 years ago
- Status changed from New to Feedback
For instance, I'd like to set the max number of installed Child_SAs is "20", and ignore the "rekeyed" Child_SAs, if the number of installed Child_SAs is already "20", new installed Child_SA can't established.
What do you mean exactly? Why do you want to limit the number of CHILD_SA and/or ignore rekeyed CHILD_SAs? Are you referring to charon keeping rekeyed IKEv1 CHILD_SAs around until they expire? If so, you could enable the charon.delete_rekeyed strongswan.conf option introduced with 5.4.0.
#2 Updated by Daniel Chan over 5 years ago
Tobias Brunner wrote:
For instance, I'd like to set the max number of installed Child_SAs is "20", and ignore the "rekeyed" Child_SAs, if the number of installed Child_SAs is already "20", new installed Child_SA can't established.
What do you mean exactly? Why do you want to limit the number of CHILD_SA and/or ignore rekeyed CHILD_SAs? Are you referring to charon keeping rekeyed IKEv1 CHILD_SAs around until they expire? If so, you could enable the charon.delete_rekeyed strongswan.conf option introduced with 5.4.0.
Hi Tobias Brunner,
Thanks for your feedback.
My purpose is to limit the number of Child_SA, I know there is a param charon.ikesa_limit can limit the Maximum number of IKE_SAs, but sometimes one IKE_SA will have multiple Child_SA, so I want find a way to limit the Child_SA, especially the installed Child SA, do you have any idea?
#3 Updated by Tobias Brunner over 5 years ago
but sometimes one IKE_SA will have multiple Child_SA, so I want find a way to limit the Child_SA, especially the installed Child SA, do you have any idea?
That's currently not possible.