<div dir="ltr"><div dir="ltr"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">Hi folks,</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">Long time listener, first time caller. I've been a happy strongswan user for years, recently I moved my gateways to the latest Linux 4.14.77-80 and Strongswan U5.7.1 and if I leave my connection idle, it can never pass traffic again until I restart the connection. </span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">I have two gateways connecting to a Check Point vpn concentrator I don't manage. Identical configuration, bone stock default strongswan.conf. I constantly ping the remote gateway on one of my gateways and it's been up for more than a day, the other I let idle and now I can't reach the remote IPs any more.</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">My ipsec.conf is basic:</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">config setup</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">      uniqueids = yes</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">conn %default</span></div><div dir="ltr">      inactive=15m<br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">      ikelifetime=1h</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">      lifetime=31m</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">      margintime=3m</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">      rekeyfuzz=100%</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">      rekey=yes</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">conn REMOTE</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">      authby=psk</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">      auto=route</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">      keyexchange=ikev1</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">What detail would help troubleshoot this?</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">ip route list table 220 is the same on the gw that is currently working and the gw that has timed out.</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">/proc/net/xfrm_stat is all zeroes EXCEPT XfrmOutNoStates which keeps increasing with every ping I send and never get a response to.</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">ip xfrm state:</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">WORKING:</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">src LOCAL dst REMOTEGW</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span class="gmail-Apple-tab-span" style="color:rgb(0,0,0);font-family:Helvetica;white-space:pre;font-size:12px">   </span><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">proto esp spi 0xff09c486 reqid 1 mode tunnel</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span class="gmail-Apple-tab-span" style="color:rgb(0,0,0);font-family:Helvetica;white-space:pre;font-size:12px"> </span><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">replay-window 0 flag af-unspec</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span class="gmail-Apple-tab-span" style="color:rgb(0,0,0);font-family:Helvetica;white-space:pre;font-size:12px">       </span><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">auth-trunc hmac(sha256) 0xREDACTED 128</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span class="gmail-Apple-tab-span" style="color:rgb(0,0,0);font-family:Helvetica;white-space:pre;font-size:12px">       </span><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">enc cbc(aes) 0xREDACTED</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span class="gmail-Apple-tab-span" style="color:rgb(0,0,0);font-family:Helvetica;white-space:pre;font-size:12px">      </span><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">anti-replay context: seq 0x0, oseq 0x2, bitmap 0x00000000</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">src REMOTEGW dst LOCAL</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span class="gmail-Apple-tab-span" style="color:rgb(0,0,0);font-family:Helvetica;white-space:pre;font-size:12px">   </span><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">proto esp spi 0xc757e42f reqid 1 mode tunnel</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span class="gmail-Apple-tab-span" style="color:rgb(0,0,0);font-family:Helvetica;white-space:pre;font-size:12px"> </span><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">replay-window 32 flag af-unspec</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span class="gmail-Apple-tab-span" style="color:rgb(0,0,0);font-family:Helvetica;white-space:pre;font-size:12px">      </span><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">auth-trunc hmac(sha256) 0xREDACTED 128</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span class="gmail-Apple-tab-span" style="color:rgb(0,0,0);font-family:Helvetica;white-space:pre;font-size:12px">       </span><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">enc cbc(aes) 0xREDACTED</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span class="gmail-Apple-tab-span" style="color:rgb(0,0,0);font-family:Helvetica;white-space:pre;font-size:12px">      </span><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">anti-replay context: seq 0x2, oseq 0x0, bitmap 0x00000003</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">TIMED OUT:</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">src LOCAL dst REMOTEGW</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span class="gmail-Apple-tab-span" style="color:rgb(0,0,0);font-family:Helvetica;white-space:pre;font-size:12px">  </span><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">proto esp spi 0x00000000 reqid 1 mode tunnel</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span class="gmail-Apple-tab-span" style="color:rgb(0,0,0);font-family:Helvetica;white-space:pre;font-size:12px"> </span><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">replay-window 0</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span class="gmail-Apple-tab-span" style="color:rgb(0,0,0);font-family:Helvetica;white-space:pre;font-size:12px">      </span><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span class="gmail-Apple-tab-span" style="color:rgb(0,0,0);font-family:Helvetica;white-space:pre;font-size:12px">    </span><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">sel src LOCALIP/32 dst REMOTEIP/32 proto udp sport 33053 dport 1025 dev eth0</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">Comparison of working and idled out statuses:</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">WORKING:</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">Routed Connections:</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"> REMOTE{1}:  ROUTED, TUNNEL, reqid 1</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"> REMOTE{1}:   LOCALSUBNET/32 === REMOTESUBNET/32</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">Security Associations (1 up, 0 connecting):</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"> REMOTE[49]: ESTABLISHED 9 minutes ago, redacted</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"> REMOTE{66}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c894097b_i ed7e44f7_o</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"> REMOTE{66}:   LOCALSUBNET/32 === REMOTESUBNET/32</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">TIMED OUT:</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">Routed Connections:</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"> REMOTE{1}:  ROUTED, TUNNEL, reqid 1</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"> REMOTE{1}:   LOCALSUBNET/32 === REMOTESUBNET/32</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">Security Associations (1 up, 0 connecting):</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"> REMOTE[16]: ESTABLISHED 6 minutes ago, redacted</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">I have charon debug running with most everything set to 2, here are some state changes from the one that timed out:</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">08:13 15[IKE] <15> IKE_SA (unnamed)[15] state change: CREATED => CONNECTING</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">08:13 16[IKE] <REMOTE|15> IKE_SA REMOTE[15] state change: CONNECTING => ESTABLISHED</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">08:13 06[CHD] <REMOTE|14> CHILD_SA REMOTE{7} state change: CREATED => DESTROYING</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">08:13 06[IKE] <REMOTE|14> IKE_SA REMOTE[14] state change: ESTABLISHED => DELETING</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">08:13 06[IKE] <REMOTE|14> IKE_SA REMOTE[14] state change: DELETING => DESTROYING</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">08:28 16[IKE] <16> IKE_SA (unnamed)[16] state change: CREATED => CONNECTING</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">08:28 06[IKE] <REMOTE|16> IKE_SA REMOTE[16] state change: CONNECTING => ESTABLISHED</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">08:28 07[CHD] <REMOTE|15> CHILD_SA REMOTE{8} state change: CREATED => DESTROYING</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">08:28 07[IKE] <REMOTE|15> IKE_SA REMOTE[15] state change: ESTABLISHED => DELETING</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">08:28 07[IKE] <REMOTE|15> IKE_SA REMOTE[15] state change: DELETING => DESTROYING</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">I'm guessing my side thinks the tunnel is up, remote thinks tunnel is down. How can I get it to automatically reset in this case?</span><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><br style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px"><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px">Thanks in advance!</span><br></div></div>