<div dir="ltr">Thanks a lot for the explanation!<br><br>On Sunday, April 26, 2015 at 11:09:16 PM UTC+2, Noel Kuntze wrote:<blockquote class="gmail_quote" style="margin: 0;margin-left: 0.8ex;border-left: 1px #ccc solid;padding-left: 1ex;">
<br>-----BEGIN PGP SIGNED MESSAGE-----
<br>Hash: SHA256
<br>
<br>Don't use closeaction=restart.
<br>That option is only there for cases where the other side has
<br>a broken or incompatible implementation of IKE, where CHILD_SAs are
<br>deleted by the other side, although they are still needed.
<br>
<br>Using that option in cases, where it is not needed, will cause
<br>undesired behaviour.
<br>
<br>Mit freundlichen Grüßen/Kind Regards,
<br>Noel Kuntze
<br>
<br>GPG Key ID: 0x63EC6658
<br>Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
<br>
<br>Am 26.04.2015 um 23:06 schrieb Miroslav Svoboda:
<br>> What about "closeaction=restart", may it help?
<br>>
<br>> On Sunday, April 26, 2015 at 7:49:55 PM UTC+2, Noel Kuntze wrote:
<br>>
<br>>
<br>> Hello Daniel,
<br>>
<br>> Try keyingtries=%forever
<br>>
<br>> Mit freundlichen Grüßen/Kind Regards,
<br>> Noel Kuntze
<br>>
<br>> GPG Key ID: 0x63EC6658
<br>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
<br>>
<br>> Am 26.04.2015 um 16:31 schrieb Daniel Pocock:
<br>>
<br>>
<br>> > I have StrongSWAN on an OpenWRT router
<br>>
<br>> > ipsec version reports:
<br>> > Linux strongSwan U5.0.4/K3.3.8
<br>>
<br>>
<br>> > Sometimes the DSL goes down and comes up again within a minute or so but
<br>> > the VPN doesn't always re-establish itself.
<br>>
<br>> > I have the following in /etc/ipsec.conf:
<br>>
<br>> > config setup
<br>> >     # strictcrlpolicy=yes
<br>> >     # uniqueids = no
<br>>
<br>> > # Add connections here.
<br>>
<br>> > conn vpn
<br>> >     left=%defaultroute
<br>> >     leftid=@<a href="http://wrt1.example.org" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Fwrt1.example.org\46sa\75D\46sntz\0751\46usg\75AFQjCNE9mnzhnVJ8E043Tq5Ne85NIcScgA';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Fwrt1.example.org\46sa\75D\46sntz\0751\46usg\75AFQjCNE9mnzhnVJ8E043Tq5Ne85NIcScgA';return true;">wrt1.example.org</a> <<a href="http://wrt1.example.org" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Fwrt1.example.org\46sa\75D\46sntz\0751\46usg\75AFQjCNE9mnzhnVJ8E043Tq5Ne85NIcScgA';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Fwrt1.example.org\46sa\75D\46sntz\0751\46usg\75AFQjCNE9mnzhnVJ8E043Tq5Ne85NIcScgA';return true;">http://wrt1.example.org</a>>
<br>> >     leftcert=wrt1Cert.der
<br>> >     leftsubnet=<a href="http://192.168.1.0/24,2001:1234:5678:0::/64" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F192.168.1.0%2F24%2C2001%3A1234%3A5678%3A0%3A%3A%2F64\46sa\75D\46sntz\0751\46usg\75AFQjCNFtErgk6N_tt2gX4vjwuNEILyW_Og';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F192.168.1.0%2F24%2C2001%3A1234%3A5678%3A0%3A%3A%2F64\46sa\75D\46sntz\0751\46usg\75AFQjCNFtErgk6N_tt2gX4vjwuNEILyW_Og';return true;">192.168.1.0/24,<wbr>2001:1234:5678:0::/64</a> <<a href="http://192.168.1.0/24,2001:1234:5678:0::/64" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F192.168.1.0%2F24%2C2001%3A1234%3A5678%3A0%3A%3A%2F64\46sa\75D\46sntz\0751\46usg\75AFQjCNFtErgk6N_tt2gX4vjwuNEILyW_Og';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F192.168.1.0%2F24%2C2001%3A1234%3A5678%3A0%3A%3A%2F64\46sa\75D\46sntz\0751\46usg\75AFQjCNFtErgk6N_tt2gX4vjwuNEILyW_Og';return true;">http://192.168.1.0/24,2001:<wbr>1234:5678:0::/64</a>>
<br>> >     leftfirewall=no
<br>> >     lefthostaccess=no
<br>> >     right=<a href="http://vpn.example.org" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Fvpn.example.org\46sa\75D\46sntz\0751\46usg\75AFQjCNHheoAy_mgXn5ZBl86NKFs42-QM-w';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Fvpn.example.org\46sa\75D\46sntz\0751\46usg\75AFQjCNHheoAy_mgXn5ZBl86NKFs42-QM-w';return true;">vpn.example.org</a> <<a href="http://vpn.example.org" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Fvpn.example.org\46sa\75D\46sntz\0751\46usg\75AFQjCNHheoAy_mgXn5ZBl86NKFs42-QM-w';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Fvpn.example.org\46sa\75D\46sntz\0751\46usg\75AFQjCNHheoAy_mgXn5ZBl86NKFs42-QM-w';return true;">http://vpn.example.org</a>>
<br>> >     rightid=@<a href="http://vpn.example.org" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Fvpn.example.org\46sa\75D\46sntz\0751\46usg\75AFQjCNHheoAy_mgXn5ZBl86NKFs42-QM-w';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Fvpn.example.org\46sa\75D\46sntz\0751\46usg\75AFQjCNHheoAy_mgXn5ZBl86NKFs42-QM-w';return true;">vpn.example.org</a> <<a href="http://vpn.example.org" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Fvpn.example.org\46sa\75D\46sntz\0751\46usg\75AFQjCNHheoAy_mgXn5ZBl86NKFs42-QM-w';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Fvpn.example.org\46sa\75D\46sntz\0751\46usg\75AFQjCNHheoAy_mgXn5ZBl86NKFs42-QM-w';return true;">http://vpn.example.org</a>>
<br>> >     rightsubnet=<a href="http://198.51.100.0/24,2001:abcd:1234:1000::/52" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F198.51.100.0%2F24%2C2001%3Aabcd%3A1234%3A1000%3A%3A%2F52\46sa\75D\46sntz\0751\46usg\75AFQjCNECm9wBp1djFyJs6RPSZCH-9YCHEQ';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F198.51.100.0%2F24%2C2001%3Aabcd%3A1234%3A1000%3A%3A%2F52\46sa\75D\46sntz\0751\46usg\75AFQjCNECm9wBp1djFyJs6RPSZCH-9YCHEQ';return true;">198.51.100.0/24,<wbr>2001:abcd:1234:1000::/52</a> <<a href="http://198.51.100.0/24,2001:abcd:1234:1000::/52" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F198.51.100.0%2F24%2C2001%3Aabcd%3A1234%3A1000%3A%3A%2F52\46sa\75D\46sntz\0751\46usg\75AFQjCNECm9wBp1djFyJs6RPSZCH-9YCHEQ';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F198.51.100.0%2F24%2C2001%3Aabcd%3A1234%3A1000%3A%3A%2F52\46sa\75D\46sntz\0751\46usg\75AFQjCNECm9wBp1djFyJs6RPSZCH-9YCHEQ';return true;">http://198.51.100.0/24,2001:<wbr>abcd:1234:1000::/52</a>>
<br>> >     keyexchange=ikev2
<br>> >     auto=start
<br>> >     dpdaction=restart
<br>>
<br>>
<br>> > Is there anything else I should do to ensure this VPN is always up?
<br>>
<br>> > The OpenWRT device almost always gets the same IP address from the ISP,
<br>> > but it is not guaranteed to be static, so it can only be started from
<br>> > OpenWRT and not from the other end of the link.
<br>>
<br>> > ______________________________<wbr>_________________
<br>> > Users mailing list
<br>> > <a href="mailto:Users@lists.strongswan.org" target="_blank" rel="nofollow" onmousedown="this.href='mailto:Users@lists.strongswan.org';return true;" onclick="this.href='mailto:Users@lists.strongswan.org';return true;">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org" target="_blank" rel="nofollow" onmousedown="this.href='mailto:Users@lists.strongswan.org';return true;" onclick="this.href='mailto:Users@lists.strongswan.org';return true;">Users@lists.<wbr>strongswan.org</a>>
<br>> > <a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank" rel="nofollow" onmousedown="this.href='https://www.google.com/url?q\75https%3A%2F%2Flists.strongswan.org%2Fmailman%2Flistinfo%2Fusers\46sa\75D\46sntz\0751\46usg\75AFQjCNHpb2EWexg7wtvkBUUWojs4DgFnHQ';return true;" onclick="this.href='https://www.google.com/url?q\75https%3A%2F%2Flists.strongswan.org%2Fmailman%2Flistinfo%2Fusers\46sa\75D\46sntz\0751\46usg\75AFQjCNHpb2EWexg7wtvkBUUWojs4DgFnHQ';return true;">https://lists.strongswan.org/<wbr>mailman/listinfo/users</a> <<a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank" rel="nofollow" onmousedown="this.href='https://www.google.com/url?q\75https%3A%2F%2Flists.strongswan.org%2Fmailman%2Flistinfo%2Fusers\46sa\75D\46sntz\0751\46usg\75AFQjCNHpb2EWexg7wtvkBUUWojs4DgFnHQ';return true;" onclick="this.href='https://www.google.com/url?q\75https%3A%2F%2Flists.strongswan.org%2Fmailman%2Flistinfo%2Fusers\46sa\75D\46sntz\0751\46usg\75AFQjCNHpb2EWexg7wtvkBUUWojs4DgFnHQ';return true;">https://lists.strongswan.org/<wbr>mailman/listinfo/users</a>>
<br>>
<br>>
<br>>     ______________________________<wbr>_________________
<br>>     Users mailing list
<br>>     <a href="mailto:Users@lists.strongswan.org" target="_blank" rel="nofollow" onmousedown="this.href='mailto:Users@lists.strongswan.org';return true;" onclick="this.href='mailto:Users@lists.strongswan.org';return true;">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org" target="_blank" rel="nofollow" onmousedown="this.href='mailto:Users@lists.strongswan.org';return true;" onclick="this.href='mailto:Users@lists.strongswan.org';return true;">Users@lists.<wbr>strongswan.org</a>>
<br>>     <a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank" rel="nofollow" onmousedown="this.href='https://www.google.com/url?q\75https%3A%2F%2Flists.strongswan.org%2Fmailman%2Flistinfo%2Fusers\46sa\75D\46sntz\0751\46usg\75AFQjCNHpb2EWexg7wtvkBUUWojs4DgFnHQ';return true;" onclick="this.href='https://www.google.com/url?q\75https%3A%2F%2Flists.strongswan.org%2Fmailman%2Flistinfo%2Fusers\46sa\75D\46sntz\0751\46usg\75AFQjCNHpb2EWexg7wtvkBUUWojs4DgFnHQ';return true;">https://lists.strongswan.org/<wbr>mailman/listinfo/users</a> <<a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank" rel="nofollow" onmousedown="this.href='https://www.google.com/url?q\75https%3A%2F%2Flists.strongswan.org%2Fmailman%2Flistinfo%2Fusers\46sa\75D\46sntz\0751\46usg\75AFQjCNHpb2EWexg7wtvkBUUWojs4DgFnHQ';return true;" onclick="this.href='https://www.google.com/url?q\75https%3A%2F%2Flists.strongswan.org%2Fmailman%2Flistinfo%2Fusers\46sa\75D\46sntz\0751\46usg\75AFQjCNHpb2EWexg7wtvkBUUWojs4DgFnHQ';return true;">https://lists.strongswan.org/<wbr>mailman/listinfo/users</a>>
<br>>
<br>
<br>-----BEGIN PGP SIGNATURE-----
<br>Version: GnuPG v2
<br>
<br>iQIcBAEBCAAGBQJVPVP2AAoJEDg5KY<wbr>9j7GZYrjkP/<wbr>1BjyPyabjA8KCzRAftuhXXU
<br>8K6WXrZ4SHt7wQJeIeLWx6rSf+<wbr>8Lc9HoG+X6e7cs0jr6V8BTu/MQ2/<wbr>wNCGSj6jPc
<br>cchEtyL82Ikl7R2IOr2RaiLVxRFFqj<wbr>nuLcJQRddhyhDvry+<wbr>sr6i8OeIBfVPeIzEU
<br>vNJzRFL5Vqb6Uu+vIY8XbTO/frL+<wbr>RDLqZWPinsNJ4uNT996Ql2FSw4MPNb<wbr>u/xQO+
<br>VqyqaPP2TFG4nEkWnXx2UYZe6tAyff<wbr>8DsvgrWPE3H3jXpgGJndP1a0MnhP+<wbr>TG6f4
<br>yTdDw60Vi/U+<wbr>84P8WD06RgK76efgGFkq0Lrj1zu7Iq<wbr>EScVGG5uWA4ZhkxPlLnewH
<br>UvdmBE68J1pla2M6uu0yKbbcnvMqR0<wbr>wr23sHY2Z/Kb4LZZ+pb+<wbr>WDw5DfdjIsb4dx
<br>qkgqMhRkQuCBi05aFBMmQgpySLyIWu<wbr>j6Lxtab7g3CDTEu5S0jv7QFZ9LiG3Y<wbr>WPV+
<br>DolTrL7GYhHif+2U1iVYOf7wLQ6Da+<wbr>xdo674IB1HrauCvfC/it10DS32nk+<wbr>2FeyQ
<br>lTQeuW1Sjcfz+LAqkwQBv/<wbr>RCAUpjN5NngZM6w5FQmmAMbPYy3gPf<wbr>nCEDa/U+kOqg
<br>XnLvgxSUhZrrZ1bRtcJMNjeF76Mn1B<wbr>H2QjnWiqXV6GpaukoPGGO7GkndJ4yI<wbr>TGsv
<br>D3QDA1Rf/vYXuAR/sC3a
<br>=0XIE
<br>-----END PGP SIGNATURE-----
<br>
<br></blockquote></div>