[strongSwan] How to deal with intermittent connection problems?

[Andreas Ntaflos]

Hi,

at one of our sites we are experiencing intermittent connection problems 
thanks to our ISP (hosts unreachable, timeouts, etc). This has been 
going on for weeks now and it affects the stability of our established 
IPSec tunnels to client sites. We are using StrongSwan 4.3.2 on Ubuntu 
10.04.2 Server. Before the problems began the tunnels were running fine 
for months so I doubt this is a configuration problem on our end.

Running "ipsec restart" after such a connection problem occured 
re-establishes the tunnel and connectivity is restored. Before 
restarting the tunnels seem to be in a state described by "ipsec 
statusall" as follows (hope this is legible, the lines are quite long):

000 "conn0": 
80.x.y.112/32===80.x.y.112---80.x.y.100...192.z.k.4===10.10.30.28/32; 
prospective erouted; eroute owner: #0
000 "conn0":   ike_life: 86400s; ipsec_life: 3600s; rekey_margin: 540s; 
rekey_fuzz: 100%; keyingtries: 0
000 "conn0":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 32,32; 
interface: eth1;
000 "conn0":   newest ISAKMP SA: #0; newest IPsec SA: #0;

000 #12236: "conn0" STATE_QUICK_I1 (sent QI1, expecting QR1); 
EVENT_RETRANSMIT in 27s

000 80.x.y.112/32:0 -> 10.10.30.28/32:22 => %hold:6 0    %acquire-netlink

What can I do to debug this and possible even prevent it from happening? 
Any hints or pointers are welcome, especially RTFM links. I attached the 
ipsec.conf file for this example tunnel, if needed.

Thanks in advance!

Andreas
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ipsec-conn0.conf
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110425/b7eb77b5/attachment.ksh>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110425/b7eb77b5/attachment.pgp>