<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi all,<br><br>Dpd and nat keepalive only work on IKE layer, not on the CHILD_SAs that you want.<br><br>Use auto=route, then bring up the tunnel manually once. Auto=route makes strongswan install trap policies for the traffic. That should improve reliability.<br><br>The newest release brought a new value for start_acrion or use with swanctl/vici that enables installing of trap policies and starting of the tunnel when the daemon starts.<br><br>Kind regards<br>Noel<br><br><br><div class="gmail_quote">Am 17. August 2022 13:35:08 UTC schrieb "Dr. Rolf Jansen" <strongswan-rj@cyclaero.com>:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">I know what DPD is. Years ago, I used it with the old racoon of the ipsec-tools then with IKEv1, and in racoon.conf I set the dpd_delay and let it after dpd_maxfail call a script with the pahse1_dead argument.<br class=""><div class=""><br class=""></div><div class="">Some times ago, I read the manual ipsec.conf of strongSwan, and I did not realize that „dpdaction = none (default)“ also deactivates DPD and not only the action. Your reply let me read this part again more carefully, and I will try with dpdaction = ....</div><div class=""><br class=""></div><div class="">Now my guess is, that I need to use the action „clear“ on both sides once the mobile connection went down, since it usually does not come back in seconds, most of the times even not in minutes. Then my script would reliably be informed by „ipsec status“ that the connection is down, won’t it? And it could be brought up again using „ipsec up“ once the G4 router went back online, couldn’t it?</div><div class=""><br class=""></div><div class="">Or may I use the action „hold“? Usually the WAN-IP of the G4 router changes upon down/up cycling. I guess this would confuse the trap policy, which will catch matching traffic, won’t it? </div><div class=""><br class=""></div><div class="">Thank you very much.</div><div class=""><br class=""></div><div class="">Best regards</div><div class=""><br class=""></div><div class="">Rolf Jansen</div><div class=""><br class=""><blockquote type="cite" class=""><div class="">Am 17.08.2022 um 09:56 schrieb Michael Schwartzkopff <<a href="mailto:ms@sys4.de" class="">ms@sys4.de</a>>:</div><br class="Apple-interchange-newline"><div class=""><span style="caret-color: rgb(0, 0, 0); font-family: SourceCodePro-Light; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">On 17.08.22 14:50, Dr. Rolf Jansen wrote:</span><br style="caret-color: rgb(0, 0, 0); font-family: SourceCodePro-Light; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><blockquote type="cite" style="font-family: SourceCodePro-Light; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none;" class="">Hello,<br class=""><br class="">The IKEv2 tunnels are established between device controllers in a remote pilot plant in Spain, which is connected to the internet by a G4 mobile router, and an AWS-EC2 instance in Frankfurt. On both sides strongSwan v5.9.6 is installed and the OS is FreeBSD 13.0-RELEASE. Both sides are behind NAT and receive their local IP via DHCP. For this reason I added on both sides static local alias IPs of another reserved block to the respective network adapter.<br class=""><br class="">Mobile connections are not as stable as wired ones, and quite frequently we suffer connection losses. In the pilot plant are two almost identical device controllers, and both establish its own IPsec tunnel to said EC2. Usually both are down at the same time. This tells me, that origin of the connection loss is external, and out of my control. I want to focus on how to reliably bring them up again, once the connection was lost.<br class=""></blockquote><br style="caret-color: rgb(0, 0, 0); font-family: SourceCodePro-Light; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><br style="caret-color: rgb(0, 0, 0); font-family: SourceCodePro-Light; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: SourceCodePro-Light; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">That is exactly why Dead-Peer-Detection was included in IKEv2. Did you try using DPD?</span><br style="caret-color: rgb(0, 0, 0); font-family: SourceCodePro-Light; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><br style="caret-color: rgb(0, 0, 0); font-family: SourceCodePro-Light; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><br style="caret-color: rgb(0, 0, 0); font-family: SourceCodePro-Light; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><br style="caret-color: rgb(0, 0, 0); font-family: SourceCodePro-Light; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><blockquote type="cite" style="font-family: SourceCodePro-Light; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none;" class="">So, I wrote a script which on the remote sites checks the IPsec status of the connection, and calls „ipsec up“, in case it is down. The problem is now, that „ipsec status“ seems to think it is up even if the connection is broken and according to the logs, charon keeps on for hours happily sending keep alive messages to the IP of the AWS-EC2 instance which at the same time does send keep alives as well to its peers and everybody does it over the already broken connections.<br class=""><br class="">I experimented with mobike = YES, but it did not make a difference.<br class=""><br class=""><br class="">Questions:<br class=""><br class="">Is there a more reliable way than „ipsec status“ for knowing whether a IPsec tunnel went down?<br class=""><br class="">I am not 100 % sure, but it seems that „ipsec up“ does not always bring a broken connection up again, should I call something else?<br class=""><br class="">The more drastic solution would be to let the remote site ping the internal alias address of the EC2 and in case the connection is broken, simply call „service strongswan restart“. However, If I need to refrain to this measure, for what reason do we have „ipsec status“ and „ipsec up“ then?<br class=""><br class="">Best regards<br class=""><br class="">Rolf Jansen<br class=""></blockquote><br style="caret-color: rgb(0, 0, 0); font-family: SourceCodePro-Light; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><br style="caret-color: rgb(0, 0, 0); font-family: SourceCodePro-Light; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: SourceCodePro-Light; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">Mit freundlichen Grüßen,</span><br style="caret-color: rgb(0, 0, 0); font-family: SourceCodePro-Light; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><br style="caret-color: rgb(0, 0, 0); font-family: SourceCodePro-Light; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: SourceCodePro-Light; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">--<span class="Apple-converted-space"> </span></span><br style="caret-color: rgb(0, 0, 0); font-family: SourceCodePro-Light; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><br style="caret-color: rgb(0, 0, 0); font-family: SourceCodePro-Light; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: SourceCodePro-Light; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">[*] sys4 AG</span><br style="caret-color: rgb(0, 0, 0); font-family: SourceCodePro-Light; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><a href="https://sys4.de/" style="font-family: SourceCodePro-Light; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">https://sys4.de</a><span style="caret-color: rgb(0, 0, 0); font-family: SourceCodePro-Light; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">, +49 (89) 30 90 46 64</span><br style="caret-color: rgb(0, 0, 0); font-family: SourceCodePro-Light; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: SourceCodePro-Light; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">Schleißheimer Straße 26/MG,80333 München</span><br style="caret-color: rgb(0, 0, 0); font-family: SourceCodePro-Light; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: SourceCodePro-Light; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263</span><br style="caret-color: rgb(0, 0, 0); font-family: SourceCodePro-Light; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: SourceCodePro-Light; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief</span><br style="caret-color: rgb(0, 0, 0); font-family: SourceCodePro-Light; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: SourceCodePro-Light; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">Aufsichtsratsvorsitzender: Florian Kirstein</span></div></blockquote></div><br class=""></div></blockquote></div><div style='white-space: pre-wrap'>Sent from mobile</div></body></html>