<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi Ben,</p>
<p>it makes sense to see into logs. Configure them using
charon-logging.conf or charon-systemd.conf according to
<a class="moz-txt-link-freetext" href="https://wiki.strongswan.org/projects/strongswan/wiki/Loggerconfiguration">https://wiki.strongswan.org/projects/strongswan/wiki/Loggerconfiguration</a>,
set higher levels for ike, cfg, chd, net sections and then reload
using 'systemctl reload strongswan'. With very high probability,
you'll find the issue in the logs.</p>
<p>Thank you.<br>
</p>
<div class="moz-cite-prefix">On 18.11.2020 12:46,
<a class="moz-txt-link-abbreviated" href="mailto:strongswan.org@it-beheer.eu">strongswan.org@it-beheer.eu</a> wrote:<br>
</div>
<blockquote type="cite"
cite="mid:1d210d23-475a-7867-4bd7-a81aeb92de2a@xs4all.nl">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<p>Good morning all,</p>
<p>I have a Ubuntu server 20.04 with two Strongswan connections.
One is fine and up all the time. The second is a copy of the
first config with other IP addresses and an other secret and is
all the time connecting even it has already established one
connection working. Found one person that had something similar
witch had something to do with set dpdaction and closeaction but
after a few tries didn't get result and bringing down the
connection all the time gave to much interruptions for the
client. So basically i have a working connection and only get
interruptions when it is being reestablished.</p>
<p>Hope someone can tell me what i am doing wrong or if this is a
problem at the other end or can me give me some pointers to
debugging.<br>
</p>
<p>===== Conn1 ====<br>
conn Conn1<br>
left=31.3.111.111<br>
right=77.94.111.111<br>
leftsubnet=10.33.3.0/24<br>
rightsubnet=172.31.1.0/24<br>
ike=aes256-sha1-modp1024<br>
keyexchange=ikev2<br>
reauth=no<br>
ikelifetime=86400s<br>
compress=no<br>
authby=secret<br>
esp=aes256-sha1-modp1024<br>
type=tunnel<br>
auto=start<br>
keyingtries=%forever<br>
dpdaction=restart<br>
closeaction=restart</p>
<p><br>
===== ipsec.secrects =====<br>
# This file holds shared secrets or RSA private keys for
authentication.<br>
<br>
# RSA private key for this host, authenticating it to any other
host<br>
# which knows the public part.<br>
<br>
%any 77.94.111.111 : PSK "<sec1>"<br>
%any 90.145.222.222 : PSK "<sec2>"<br>
</p>
<p><br>
</p>
<p>Output from <i>sudo ipsec status<br>
=========================</i><br>
<br>
Security Associations (2 up, 670 connecting):<br>
Conn1[2466]: ESTABLISHED 16 minutes ago,
31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]<br>
Conn1{5461231}: INSTALLED, TUNNEL, reqid 637, ESP SPIs:
c1f5asdf_i 725asdf_o<br>
Conn1{5461231}: 10.33.3.0/24 === 172.31.1.0/24<br>
Conn1[2464]: CONNECTING,
31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]<br>
Conn1[2460]: CONNECTING,
31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]<br>
Conn1[2457]: CONNECTING,
31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]<br>
Conn1[2455]: CONNECTING,
31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]<br>
OtherConnection[2454]: ESTABLISHED 6 hours ago,
31.3.111.111[31.3.111.111]...90.145.222.222[90.145.222.222]<br>
OtherConnection{5459235}: INSTALLED, TUNNEL, reqid 634, ESP
SPIs: c38asdff_i c919asdf_o<br>
OtherConnection{5459235}: 10.33.3.0/24 === 100.222.222.0/21<br>
Conn1[2451]: CONNECTING,
31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]<br>
Conn1[2447]: CONNECTING,
31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]<br>
Conn1[2440]: CONNECTING,
31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]<br>
Conn1[2439]: CONNECTING,
31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]<br>
Conn1[2437]: CONNECTING,
31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]<br>
Conn1[2434]: CONNECTING,
31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]<br>
Conn1[2432]: CONNECTING,
31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]<br>
Conn1[2430]: CONNECTING,
31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]<br>
Conn1[2429]: CONNECTING,
31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]<br>
Conn1[2426]: CONNECTING,
31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]<br>
Conn1[2425]: CONNECTING,
31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]<br>
Conn1[2422]: CONNECTING,
31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]<br>
Conn1[2421]: CONNECTING,
31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]<br>
Conn1[2418]: CONNECTING,
31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]<br>
Conn1[2412]: CONNECTING,
31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]<br>
Conn1[2411]: CONNECTING,
31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]<br>
Conn1[2409]: CONNECTING,
31.3.111.111[31.3.111.111]...77.94.111.111[77.94.111.111]<br>
============================<br>
</p>
<pre class="moz-signature" cols="72">--
Met vriendelijke groet,
Ben</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison</pre>
</body>
</html>