[strongSwan] Strongswan 4.5.1 with sqlite database: update database and DPD

CETIAD - Fabrice Barconnière fabrice.barconniere at ac-dijon.fr
Thu Mar 3 10:55:03 CET 2011

Hello Andreas,

Thank you very much for the patch.

Our ARV tool generate the same child_configs's name for each peer_configs.
I think we must modify it if we want to execute "ipsec up child_name".
Do you think so ?

If we want connections to be up automatically after a restart or reboot, 
is there any contraindication to set start_action = 2 on each gateway or 
is it better to keep start_action=0 on one gateway and start_action=2 on 
the others and execute "ipsec up child_name/peer_name" command on either 
sphynx (start_action=0) or amon (start_action=2) gateway?

In /usr/sbin/ipsec script, line 278, /var/lock/subsys/ipsec file is 
created if /var/lock/subsys directory exists.
If subsys directory doesn't exist, ipsec file is not created. Is it 
normal behaviour ?

In strongswan.conf file, we set log as following :
charon {
     filelog {
         /var/log/charon.log {
             time_format = %b %e %T
             append = yes
             default = 1

Logrotate archives charon.log to charon.log.x.gz.
How charon daemon can create and use a new charon.log file without 
restarting ipsec ?

Best regards


Le 01/03/2011 22:33, Andreas Steffen a écrit :
> Hello Fabrice,
> I checked in the patch
> http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=ea1c20d14be22ca4dc91f9d984d7406b210c0cd6 
> which allows you to initiate or route a child config which doesn't
> have a corresponding peer config of the same name as is the case
> in our setup. Thus if you have updated the e.g. the child config
> 'net-3' in the SQL database then you just execute
>   ipsec down net-3{*}
>   ipsec up net-3
> and the modified CHILD_SA will be up again.
> Kind regards
> Andreas
> On 03/01/2011 04:05 PM, Andreas Steffen wrote:
>> Hello Fabrice,
>> sorry for the delay in answering your questions but I was quite
>> busy due to the start of the spring term at our university.
>> On 03/01/2011 10:40 AM, CETIAD - Fabrice Barconnière wrote:
>>> Hello,
>>> I've configurated strongswan with sqlite database beetween one gateway
>>> (sphynx) and several others (amon1, amon2, ... up to six hundred).
>>> Connections are beetween sphynx subnets and amon subnets (sometimes
>>> beetween amon subnets).
>>> Text file join to this mail shows my network infrastructure.
>>> On sphynx, start_action and dpd_action are set to 0.
>>> On amon, start_action and dpd_action are set to 2.
>>> 1) When sqlite database is modified, how apply the updates without
>>> restarting ipsec ?
>>> ipsec update command doesn't work in my configuration.
>>> Is there an other way to do that or some fields should be set to
>>> specific values ?
>> The "ipsec update" command does not work with connection configurations
>> stored in an SQL database. The command just checks for any changes in
>> ipsec.conf and communicates them to the charon daemon via the stroke
>> socket interface.
>> I made some database changes in CHILD_SA net-3 and
>> ipsec statusall shows the changes immediately.
>> ipsec down net-3 does not work but
>> ipsec down net-3{3} takes the CHILD_SA down
>> ipsec up net-3 doesn't work so we have a real problem here
>> You find the detailed output in the moon.statusall attachment.
>> ipsec down net-net takes down the IKE_SA and all three CHILD_SAs
>> ipsec up net-net does not start up them again so we have a problem
>> I have to look into this. It should be possible to take down single
>> CHILD_SAs and/or IKE_SAs and start them again without having to
>> restart the whole daemon.
>>> 2) How Dead Peer Dectection works ?
>>> When ipsec is restarted on sphynx, connections stay down on amon--
>>> gateways.
>>> Is there special values to set in database ?
>> I loaded the sql/net2net-start-pem scenario
>> http://www.strongswan.org/uml/testresults/sql/net2net-start-pem/
>> which is closely modelled after your setup and has the DPD settings
>> moon: start_action = 2 (start), dpd_action = 2 (restart)
>> sun: start_action = 0 (add), dpd_action = 0 (clear)
>> I started the scenario and let it run for a couple of minutes in order
>> to show that DPD informational messages are exchanged. I then blocked
>> the access to sun so that moon was starting to retransmit and after
>> 5 unanswered retransmission moon deleted all SAs and tried to
>> reconnect. I then enabled access to sun again and the IKE_SA and
>> all 3 CHILD_SAs were automatically re-established. You can find my
>> log as attachment "moon.daemon.log".
>> If you restart charon on sun by executing "ipsec restart" then
>> the IKE_SA and the CHILD_SAs are deleted by exchanging DELETE notifies
>> and the connection doesn't come up again automatically. This is normal
>> behaviour and doesn't have anything to do with DPD. Up must then
>> start up the SAs either on moon or sun manually.
>>> Thanks
>>> Fabrice
>> Best regards
>> Andreas
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==

More information about the Users mailing list