Summary

Add VyOS CLI options to configure strongSwan half-open IKE_SA handling and IKE_SA_INIT throttling/DoS-mitigation parameters (per-peer and global limits, cookie thresholds, timers, and related worker/concurrency knobs) to support high tunnel counts and large-scale bring-up/rekey events.

Use case

With default strongswan values, the half-open / IKE_SA_INIT protection logic can prematurely throttle new negotiations (or trigger cookie challenges too aggressively), causing tunnel bring-up to stall below the required scale. Tuning these thresholds was necessary for stable operation at 70+ tunnels.

Additional information

Per-peer half-open controls:

• block_threshold

Half-open lifetime:

• half_open_timeout

IKE_SA_INIT dropping / rate limiting for half-open:

• init_limit_half_open
• cookie_threshold_ip
• cookie_threshold

Worker/concurrency enabling negotiations to finish before queues grow:

• threads

Probably implementation should not be limited to only these options, allowing operators to tune higher tunnel scale, faster parallel bring-up and DoS resilience