[strongSwan] Restarting ipsec on the left requires restart on the right
Tobias Brunner
tobias at strongswan.org
Wed Feb 15 18:19:26 CET 2012
Hi Andreas,
> Issuing an "ipsec restart" on the left end of the tunnel seems to kill
> the connection and it won't come back until I issue an "ipsec restart"
> on the right end as well.
You should check the log on the right to see what the problem is when
left tries to re-establish the connection.
> This is obviously not practical. It seems the right server is not aware
> that the connection has been interrupted. How do I make it aware?
You could configure DPD with dpdaction=restart so that right
re-establishes the SA once it detects the old SA is gone.
> It may also be noteworthy that restarting the *right* server does not
> result in the same problem. In this case the connection is interrupted
> only for the time it takes "ipsec restart" on the right to complete. Is
> this behaviour because of the different StrongSwan versions used?
Could be, yes. The log of the respective remote end should show if
there is a difference in their behavior.
Regards,
Tobias
More information about the Users
mailing list