<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi Tom,<br>
<br>
Thank you, I will give that a try. I also updated StrongSwan to
v5.6.2. Let's see if it helps!<br>
<br>
Best regards,<br>
Martijn.<br>
<br>
<div class="moz-cite-prefix">Op 7-3-2018 om 16:35 schreef Tom Rymes:<br>
</div>
<blockquote type="cite"
cite="mid:b8544040327d8a92f5e1edbdd417ceb4,63668427-6A5F-4E01-8063-FD34BB0CB955@rymes.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div>Martin,</div>
<div><br>
</div>
<div>I can't help with the more technical portions of your query,
but I can confirm that using auto=route has proven to be more
reliable than auto=start, as a dropped tunnel seems more likely
to be brought back up automatically.</div>
<div><br>
</div>
<div>I had asked specifically about that setting a few years ago,
and this is the advice I received:</div>
<div><br>
</div>
<div><a
href="https://lists.strongswan.org/pipermail/users/2015-July/008552.html"
moz-do-not-send="true">https://lists.strongswan.org/pipermail/users/2015-July/008552.html</a></div>
<div><br>
</div>
<div>Tom</div>
<div><br>
On Mar 7, 2018, at 1:53 AM, Martijn Grendelman <<a
href="mailto:martijn.grendelman@isaac.nl"
moz-do-not-send="true">martijn.grendelman@isaac.nl</a>>
wrote:<br>
<br>
</div>
<blockquote type="cite">
<div><span>Hi,</span><br>
<span></span><br>
<span>I have been running StrongSwan on Debian Wheezy (with
StrongSwan 4.5.2)</span><br>
<span>for a long time. We have about 70 ESP tunnels with 19
different</span><br>
<span>endpoints, most of them IKEv1. The setup has been rock
solid for years,</span><br>
<span>with tunnel outages being extremely rare, and almost
always the remote</span><br>
<span>side's fault.</span><br>
<span></span><br>
<span>Last week, I upgraded the system to Debian Stretch (with
StrongSwan</span><br>
<span>5.5.1), and since then, a number of tunnels (but not all
of them) have</span><br>
<span>stability issues. The issue appears to be that
CHILD_SA's are not</span><br>
<span>established when needed, or they disappear after some
time. I haven't</span><br>
<span>really discovered a pattern, and I'm a bit overwhelmed
by Charon's</span><br>
<span>logging output at higher levels. The problems are
restricted to IKEv1</span><br>
<span>connections, IKEv2 connections seem unaffected. There
don't seem to be</span><br>
<span>any issues establishing IKE SAs.</span><br>
<span></span><br>
<span>Since I didn't make any changes to the configuration in
the course of</span><br>
<span>the upgrade, I can imagine that my config is not up to
the standards of</span><br>
<span>version 5. I pasted relevant parts of my config below.
Are there things</span><br>
<span>that can be improved?</span><br>
<span></span><br>
<span>I am sorry I can't be more concrete. I am mostly looking
for pointers on</span><br>
<span>how to solve the issues.</span><br>
<span></span><br>
<span>If I want to know why a CHILD_SA is not established,
what logging</span><br>
<span>settings should I use? I'd like some pointers to what
kind of messages</span><br>
<span>to look for, and at what level from which subsystem they
would be</span><br>
<span>logged. Currently, I have this:</span><br>
<span></span><br>
<span> /var/log/charon.log {</span><br>
<span> time_format = %b %e %T</span><br>
<span> ike_name = yes</span><br>
<span> append = yes</span><br>
<span> default = 1</span><br>
<span> cfg = 4</span><br>
<span> net = 0</span><br>
<span> flush_line = yes</span><br>
<span> }</span><br>
<span></span><br>
<span>The problem is, that with 70 tunnels, raising the
default log level</span><br>
<span>higher than 1 leads to A LOT of logging (GBs / day)
which quickly</span><br>
<span>becomes hard to digest.</span><br>
<span></span><br>
<span>Here are my 'default' config and some config samples for
connections</span><br>
<span>that suffer from these problems. The example describes
two tunnels to</span><br>
<span>the same endpoint. Only 'leftsubnet' differs. In total,
there are 16</span><br>
<span>tunnels to this endpoint, all sharing the same IKE SA.
They only differ</span><br>
<span>in left- and rightsubnet. Does this make sense?</span><br>
<span></span><br>
<span>conn %default</span><br>
<span> ikelifetime=8h</span><br>
<span> keylife=1h</span><br>
<span> rekeymargin=9m</span><br>
<span> authby=secret</span><br>
<span> keyexchange=ikev2</span><br>
<span> mobike=no</span><br>
<span> auto=start</span><br>
<span> leftfirewall=no</span><br>
<span> lefthostaccess=no</span><br>
<span> closeaction=restart</span><br>
<span> dpdaction=restart</span><br>
<span> keyingtries=%forever</span><br>
<span></span><br>
<span>conn hq_uk_b4a</span><br>
<span> left=<left ip></span><br>
<span> leftsubnet=172.17.1.0/24</span><br>
<span> right=<right ip></span><br>
<span> rightsubnet=10.53.13.0/24</span><br>
<span> ike=aes256-sha1-modp1024</span><br>
<span> esp=aes256-sha1-modp1024</span><br>
<span> keyexchange=ikev1</span><br>
<span> ikelifetime=8h</span><br>
<span></span><br>
<span>conn hq_uk_b4b</span><br>
<span> left=<left ip></span><br>
<span> leftsubnet=172.17.5.0/24</span><br>
<span> right=<right ip></span><br>
<span> rightsubnet=10.53.13.0/24</span><br>
<span> ike=aes256-sha1-modp1024</span><br>
<span> esp=aes256-sha1-modp1024</span><br>
<span> keyexchange=ikev1</span><br>
<span> ikelifetime=8h</span><br>
<span></span><br>
<span>Hoping for some useful pointers...</span><br>
<span></span><br>
<span>Best regards,</span><br>
<span>Martijn Grendelman.</span><br>
<span></span><br>
</div>
</blockquote>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;"
dir="ltr">
<div id="Signature">
<table cellspacing="0" cellpadding="0" width="550" border="0">
<tbody>
<tr>
<td style="FONT-SIZE: 11px; FONT-FAMILY: Tahoma, Geneva,
sans-serif; COLOR: #666666" align="left">
Met vriendelijke groet, <br>
Kind regards, </td>
</tr>
<tr>
<td style="FONT-SIZE: 0px; HEIGHT: 20px; MARGIN: 0px;
LINE-HEIGHT: 0px" align="left" height="20">
<img style="display: block; user-select: none;"
src="cid:part3.73D31D5B.5B775F1F@isaac.nl"
height="20" width="1"></td>
</tr>
<tr>
<td>
<table cellspacing="0" cellpadding="0" width="550"
border="0">
<tbody>
<tr>
<td style="FONT-SIZE: 0px; HEIGHT: 75px; WIDTH:
75px; MARGIN: 0px; LINE-HEIGHT: 0px"
valign="top" height="75" width="75">
<a href="mailto:martijn.grendelman@isaac.nl"
id="LPNoLP"><img title="Martijn"
style="display: block; user-select: none;"
alt="Martijn"
src="cid:part4.D7A444D9.65E90F17@isaac.nl"
height="75" width="75" border="0"></a></td>
<td style="FONT-SIZE: 0px; WIDTH: 20px;
MARGIN:0px; LINE-HEIGHT: 0px" width="20"> <img
style="display: block; user-select: none;"
src="cid:part3.73D31D5B.5B775F1F@isaac.nl"
height="1" width="20"></td>
<td valign="top" align="left">
<table cellspacing="0" cellpadding="0"
width="455" border="0">
<tbody>
<tr>
<td style="FONT-SIZE: 0px; HEIGHT: 21px;
MARGIN: 0px; LINE-HEIGHT: 0px"
height="21">
<img style="display: block;
user-select: none;"
src="cid:part3.73D31D5B.5B775F1F@isaac.nl"
height="21" width="1"></td>
</tr>
<tr>
<td style="FONT-SIZE: 11px; FONT-FAMILY:
Tahoma, Geneva, sans-serif; COLOR:
#666666; LINE-HEIGHT: 16px"
align="left">
<span style="FONT-SIZE: 14px;
FONT-WEIGHT: bold; COLOR: #000000">Martijn
Grendelman</span> <span
style="FONT-SIZE: 14px; FONT-WEIGHT:
bold; COLOR: #0099cc">Infrastructure
Architect</span> <span
style="COLOR:#999999">
</span><br>
T: +31 (0)40 264 94 44 </td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td style="FONT-SIZE: 0px; HEIGHT: 16px; MARGIN: 0px;
LINE-HEIGHT: 0px" align="left" height="16">
<img style="display: block; user-select: none;"
src="cid:part3.73D31D5B.5B775F1F@isaac.nl"
height="16" width="1"></td>
</tr>
<tr>
<td style="FONT-SIZE: 0px; HEIGHT: 1px; MARGIN: 0px;
LINE-HEIGHT: 0px" bgcolor="#e5e5e5">
<img style="display: block; user-select: none;" alt=""
src="cid:part3.73D31D5B.5B775F1F@isaac.nl"
height="1" width="1" border="0"></td>
</tr>
<tr>
<td style="FONT-SIZE: 0px; HEIGHT: 16px; MARGIN: 0px;
LINE-HEIGHT: 0px" align="left" height="16">
<img style="display: block; user-select: none;"
src="cid:part3.73D31D5B.5B775F1F@isaac.nl"
height="16" width="1"></td>
</tr>
<tr>
<td>
<table cellspacing="0" cellpadding="0" width="550"
border="0">
<tbody>
<tr>
<td style="FONT-SIZE: 0px; HEIGHT: 33px; WIDTH:
75px; MARGIN: 0px; LINE-HEIGHT: 0px"
valign="top" height="33" width="75">
<a href="https://www.isaac.nl" target="_blank"
id="LPNoLP"><img title="ISAAC"
style="display: block; user-select: none;"
alt="ISAAC"
src="cid:part11.0A735FE7.5CF9F29E@isaac.nl"
height="33" width="75" border="0"></a></td>
<td style="FONT-SIZE: 0px; WIDTH: 20px; MARGIN:
0px; LINE-HEIGHT: 0px" width="20">
<img style="display: block; user-select:
none;"
src="cid:part3.73D31D5B.5B775F1F@isaac.nl"
height="1" width="20"></td>
<td valign="top" align="left">
<table cellspacing="0" cellpadding="0"
width="455" border="0">
<tbody>
<tr>
<td style="FONT-SIZE: 11px; FONT-FAMILY:
Tahoma, Geneva, sans-serif; COLOR:
#666666; LINE-HEIGHT: 16px"
align="left">
Marconilaan 16 5621 AA
Eindhoven The Netherlands<br>
T: +31 (0)40 290 89 79 <a
style="TEXT-DECORATION: none; COLOR:
#666666" href="https://www.isaac.nl"
target="_blank" id="LPNoLP"><font
color="#666666">www.isaac.nl</font></a></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td style="FONT-SIZE: 0px; HEIGHT: 40px; MARGIN: 0px;
LINE-HEIGHT: 0px" align="left" height="40">
<img style="display: block; user-select: none;"
src="cid:part3.73D31D5B.5B775F1F@isaac.nl"
height="40" width="1"></td>
<!-- https://outlookimages.isaac.nl/sig/pix.gif -->
</tr>
<tr>
<td style="FONT-SIZE: 10px; FONT-FAMILY: Tahoma, Geneva,
sans-serif; COLOR: #cccccc; LINE-HEIGHT: 13px"
valign="top" align="left">
Dit e-mail bericht is alleen bestemd voor de
geadresseerde(n). Indien dit bericht niet voor u is
bedoeld wordt u verzocht de afzender hiervan op de
hoogte te stellen door het bericht te retourneren en
de inhoud niet te gebruiken. Aan dit bericht kunnen
geen rechten worden ontleend.</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</body>
</html>