Hi Tobias, thanks for your advice.<br><br>I don't think anything's wrong with my configuration because this worked fine before and after this incident, and also on many other devices with the same configuration.<br><br>I'll have to wait until next time this happens to do any traffic analysis - I already restarted the problem client.<br><br>The exact point that traffic stopped flowing also seemed to differ between connection attempts, but auth and address assignment always succeeded.<br><br>So what I'm looking for is a problem that<br>a) happens while a system is running, possibly as a result of interface ups or downs<br>b) doesn't affect normal network traffic<br>c) doesn't affect strongswan auth but does affect subsequent traffic<br>d) is not fixed by an IPsec restart but is fixed by a reboot<br><br>Until next time...<br><br>Alex<br><div class="gmail_quote"><div dir="ltr">On Wed, 25 Jan 2017 at 6:37 pm, Tobias Brunner <<a href="mailto:tobias@strongswan.org">tobias@strongswan.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Alexander,<br class="gmail_msg">
<br class="gmail_msg">
> I've attached a chunk of the log which hopefully shows what was happening.<br class="gmail_msg">
<br class="gmail_msg">
It shows that DPDs do not get through in one direction (response from<br class="gmail_msg">
the peer). So maybe other traffic in that direction is also affected.<br class="gmail_msg">
You also seem to use an IP from the remote subnet inside the tunnel so<br class="gmail_msg">
maybe that is a problem too (see [1]), but this should not affect IKE<br class="gmail_msg">
traffic. Try to check with e.g. tcpdump/Wireshark how traffic flows and<br class="gmail_msg">
where it might get dropped.<br class="gmail_msg">
<br class="gmail_msg">
Regards,<br class="gmail_msg">
Tobias<br class="gmail_msg">
<br class="gmail_msg">
[1]<br class="gmail_msg">
<a href="https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling" rel="noreferrer" class="gmail_msg" target="_blank">https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling</a><br class="gmail_msg">
<br class="gmail_msg">
</blockquote></div>