[strongSwan] Strongswan 4.5.1 with sqlite database: update database and DPD
Andreas Steffen
andreas.steffen at strongswan.org
Tue Mar 1 22:33:26 CET 2011
Hello Fabrice,
I checked in the patch
http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=ea1c20d14be22ca4dc91f9d984d7406b210c0cd6
which allows you to initiate or route a child config which doesn't
have a corresponding peer config of the same name as is the case
in our setup. Thus if you have updated the e.g. the child config
'net-3' in the SQL database then you just execute
ipsec down net-3{*}
ipsec up net-3
and the modified CHILD_SA will be up again.
Kind regards
Andreas
On 03/01/2011 04:05 PM, Andreas Steffen wrote:
> Hello Fabrice,
>
> sorry for the delay in answering your questions but I was quite
> busy due to the start of the spring term at our university.
>
> On 03/01/2011 10:40 AM, CETIAD - Fabrice Barconnière wrote:
>> Hello,
>>
>> I've configurated strongswan with sqlite database beetween one gateway
>> (sphynx) and several others (amon1, amon2, ... up to six hundred).
>> Connections are beetween sphynx subnets and amon subnets (sometimes
>> beetween amon subnets).
>> Text file join to this mail shows my network infrastructure.
>>
>> On sphynx, start_action and dpd_action are set to 0.
>> On amon, start_action and dpd_action are set to 2.
>>
>> 1) When sqlite database is modified, how apply the updates without
>> restarting ipsec ?
>> ipsec update command doesn't work in my configuration.
>> Is there an other way to do that or some fields should be set to
>> specific values ?
>>
> The "ipsec update" command does not work with connection configurations
> stored in an SQL database. The command just checks for any changes in
> ipsec.conf and communicates them to the charon daemon via the stroke
> socket interface.
>
> I made some database changes in CHILD_SA net-3 and
>
> ipsec statusall shows the changes immediately.
> ipsec down net-3 does not work but
> ipsec down net-3{3} takes the CHILD_SA down
> ipsec up net-3 doesn't work so we have a real problem here
>
> You find the detailed output in the moon.statusall attachment.
>
> ipsec down net-net takes down the IKE_SA and all three CHILD_SAs
> ipsec up net-net does not start up them again so we have a problem
>
> I have to look into this. It should be possible to take down single
> CHILD_SAs and/or IKE_SAs and start them again without having to
> restart the whole daemon.
>
>> 2) How Dead Peer Dectection works ?
>> When ipsec is restarted on sphynx, connections stay down on amon--
>> gateways.
>> Is there special values to set in database ?
>>
> I loaded the sql/net2net-start-pem scenario
>
> http://www.strongswan.org/uml/testresults/sql/net2net-start-pem/
>
> which is closely modelled after your setup and has the DPD settings
>
> moon: start_action = 2 (start), dpd_action = 2 (restart)
> sun: start_action = 0 (add), dpd_action = 0 (clear)
>
> I started the scenario and let it run for a couple of minutes in order
> to show that DPD informational messages are exchanged. I then blocked
> the access to sun so that moon was starting to retransmit and after
> 5 unanswered retransmission moon deleted all SAs and tried to
> reconnect. I then enabled access to sun again and the IKE_SA and
> all 3 CHILD_SAs were automatically re-established. You can find my
> log as attachment "moon.daemon.log".
>
> If you restart charon on sun by executing "ipsec restart" then
> the IKE_SA and the CHILD_SAs are deleted by exchanging DELETE notifies
> and the connection doesn't come up again automatically. This is normal
> behaviour and doesn't have anything to do with DPD. Up must then
> start up the SAs either on moon or sun manually.
>
>> Thanks
>>
>> Fabrice
>>
>
> Best regards
>
> Andreas
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list