<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div></div><div>Martin,</div><div><br></div><div>I can't help with the more technical portions of your query, but I can confirm that using auto=route has proven to be more reliable than auto=start, as a dropped tunnel seems more likely to be brought back up automatically.</div><div><br></div><div>I had asked specifically about that setting a few years ago, and this is the advice I received:</div><div><br></div><div><a href="https://lists.strongswan.org/pipermail/users/2015-July/008552.html">https://lists.strongswan.org/pipermail/users/2015-July/008552.html</a></div><div><br></div><div>Tom</div><div><br>On Mar 7, 2018, at 1:53 AM, Martijn Grendelman <<a href="mailto:martijn.grendelman@isaac.nl">martijn.grendelman@isaac.nl</a>> wrote:<br><br></div><blockquote type="cite"><div><span>Hi,</span><br><span></span><br><span>I have been running StrongSwan on Debian Wheezy (with StrongSwan 4.5.2)</span><br><span>for a long time. We have about 70 ESP tunnels with 19 different</span><br><span>endpoints, most of them IKEv1. The setup has been rock solid for years,</span><br><span>with tunnel outages being extremely rare, and almost always the remote</span><br><span>side's fault.</span><br><span></span><br><span>Last week, I upgraded the system to Debian Stretch (with StrongSwan</span><br><span>5.5.1), and since then, a number of tunnels (but not all of them) have</span><br><span>stability issues. The issue appears to be that CHILD_SA's are not</span><br><span>established when needed, or they disappear after some time. I haven't</span><br><span>really discovered a pattern, and I'm a bit overwhelmed by Charon's</span><br><span>logging output at higher levels. The problems are restricted to IKEv1</span><br><span>connections, IKEv2 connections seem unaffected. There don't seem to be</span><br><span>any issues establishing IKE SAs.</span><br><span></span><br><span>Since I didn't make any changes to the configuration in the course of</span><br><span>the upgrade, I can imagine that my config is not up to the standards of</span><br><span>version 5. I pasted relevant parts of my config below. Are there things</span><br><span>that can be improved?</span><br><span></span><br><span>I am sorry I can't be more concrete. I am mostly looking for pointers on</span><br><span>how to solve the issues.</span><br><span></span><br><span>If I want to know why a CHILD_SA is not established, what logging</span><br><span>settings should I use? I'd like some pointers to what kind of messages</span><br><span>to look for, and at what level from which subsystem they would be</span><br><span>logged. Currently, I have this:</span><br><span></span><br><span>        /var/log/charon.log {</span><br><span>            time_format = %b %e %T</span><br><span>            ike_name = yes</span><br><span>            append = yes</span><br><span>            default = 1</span><br><span>            cfg = 4</span><br><span>            net = 0</span><br><span>            flush_line = yes</span><br><span>        }</span><br><span></span><br><span>The problem is, that with 70 tunnels, raising the default log level</span><br><span>higher than 1 leads to A LOT of logging (GBs / day) which quickly</span><br><span>becomes hard to digest.</span><br><span></span><br><span>Here are my 'default' config and some config samples for connections</span><br><span>that suffer from these problems. The example describes two tunnels to</span><br><span>the same endpoint. Only 'leftsubnet' differs. In total, there are 16</span><br><span>tunnels to this endpoint, all sharing the same IKE SA. They only differ</span><br><span>in left- and rightsubnet. Does this make sense?</span><br><span></span><br><span>conn %default</span><br><span>        ikelifetime=8h</span><br><span>        keylife=1h</span><br><span>        rekeymargin=9m</span><br><span>        authby=secret</span><br><span>        keyexchange=ikev2</span><br><span>        mobike=no</span><br><span>        auto=start</span><br><span>        leftfirewall=no</span><br><span>        lefthostaccess=no</span><br><span>        closeaction=restart</span><br><span>        dpdaction=restart</span><br><span>        keyingtries=%forever</span><br><span></span><br><span>conn hq_uk_b4a</span><br><span>        left=<left ip></span><br><span>        leftsubnet=172.17.1.0/24</span><br><span>        right=<right ip></span><br><span>        rightsubnet=10.53.13.0/24</span><br><span>        ike=aes256-sha1-modp1024</span><br><span>        esp=aes256-sha1-modp1024</span><br><span>        keyexchange=ikev1</span><br><span>        ikelifetime=8h</span><br><span></span><br><span>conn hq_uk_b4b</span><br><span>        left=<left ip></span><br><span>        leftsubnet=172.17.5.0/24</span><br><span>        right=<right ip></span><br><span>        rightsubnet=10.53.13.0/24</span><br><span>        ike=aes256-sha1-modp1024</span><br><span>        esp=aes256-sha1-modp1024</span><br><span>        keyexchange=ikev1</span><br><span>        ikelifetime=8h</span><br><span></span><br><span>Hoping for some useful pointers...</span><br><span></span><br><span>Best regards,</span><br><span>Martijn Grendelman.</span><br><span></span><br></div></blockquote></body></html>