[strongSwan] Strongswan 4.5.1 with sqlite database: update database and DPD

Andreas Steffen andreas.steffen at strongswan.org
Tue Mar 1 16:05:41 CET 2011

Hello Fabrice,

sorry for the delay in answering your questions but I was quite
busy due to the start of the spring term at our university.

On 03/01/2011 10:40 AM, CETIAD - Fabrice Barconnière wrote:
> Hello,
> I've configurated strongswan with sqlite database beetween one gateway
> (sphynx) and several others (amon1, amon2, ... up to six hundred).
> Connections are beetween sphynx subnets and amon subnets (sometimes
> beetween amon subnets).
> Text file join to this mail shows my network infrastructure.
> On sphynx, start_action and dpd_action are set to 0.
> On amon, start_action and dpd_action are set to 2.
> 1) When sqlite database is modified, how apply the updates without
> restarting ipsec ?
> ipsec update command doesn't work in my configuration.
> Is there an other way to do that or some fields should be set to
> specific values ?
The "ipsec update" command does not work with connection configurations
stored in an SQL database. The command just checks for any changes in
ipsec.conf and communicates them to the charon daemon via the stroke
socket interface.

I made some database changes in CHILD_SA net-3 and

ipsec statusall     shows the changes immediately.
ipsec down net-3    does not work but
ipsec down net-3{3} takes the CHILD_SA down
ipsec up net-3      doesn't work so we have a real problem here

You find the detailed output in the moon.statusall attachment.

ipsec down net-net  takes down the IKE_SA and all three CHILD_SAs
ipsec up net-net    does not start up them again so we have a problem

I have to look into this. It should be possible to take down single
CHILD_SAs and/or IKE_SAs and start them again without having to
restart the whole daemon.

> 2) How Dead Peer Dectection works ?
> When ipsec is restarted on sphynx, connections stay down on amon--
> gateways.
> Is there special values to set in database ?
I loaded the sql/net2net-start-pem scenario


which is closely modelled after your setup and has the DPD settings

    moon: start_action = 2 (start), dpd_action = 2 (restart)
    sun:  start_action = 0 (add),   dpd_action = 0 (clear)

I started the scenario and let it run for a couple of minutes in order
to show that DPD informational messages are exchanged. I then blocked
the access to sun so that moon was starting to retransmit and after
5 unanswered retransmission moon deleted all SAs and tried to
reconnect. I then enabled access to sun again and the IKE_SA and
all 3 CHILD_SAs were automatically re-established. You can find my
log as attachment "moon.daemon.log".

If you restart charon on sun by executing "ipsec restart" then
the IKE_SA and the CHILD_SAs are deleted by exchanging DELETE notifies
and the connection doesn't come up again automatically. This is normal
behaviour and doesn't have anything to do with DPD. Up must then
start up the SAs either on moon or sun manually.

> Thanks
> Fabrice

Best regards


Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: moon.daemon.log
Type: text/x-log
Size: 16834 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110301/133150d5/attachment.bin>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: moon.statusall
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110301/133150d5/attachment.ksh>

More information about the Users mailing list