[strongSwan] Persistent SA's

[Kimmo Koivisto]

Hello

I have server 1 (SS 5.0.1rc1) against server 2 (SS 5.0.0) and net2net
kind of configuration.
My goal is to make IKE and Child SA's persistent so, that I don't have
to do anything manually and SA's keep working automatically.

Yesterday I had to reboot server 1 because of power failure and today
when I checked out the status, no Child SA's were installed:

# ipsec status
Security Associations (1 up, 0 connecting):
work1[134]: ESTABLISHED 2 hours ago,
server1.pub.ip[server1.pub.ip]...server2.pub.ip[server2.pub.ip]

Then I did:
# ipsec up work1
establishing CHILD_SA work1
generating CREATE_CHILD_SA request 24 [ SA No KE TSi TSr ]
sending packet: from server1.pub.ip[4500] to server2.pub.ip[4500]
received packet: from server2.pub.ip[4500] to server1.pub.ip[4500]
parsed CREATE_CHILD_SA response 24 [ SA No KE TSi TSr ]

to get Child SA's up.

After that the status was:

# ipsec status
Security Associations (1 up, 0 connecting):
       work1[134]: ESTABLISHED 2 hours ago,
server1.pub.ip[server1.pub.ip]...server2.pub.ip[server2.pub.ip]
       work1{135}:  INSTALLED, TUNNEL, ESP in UDP SPIs: ce4ed9c7_i c557494a_o
       work1{135}:   one.subnet.from.left.side === one.subnet.from.right.side

Which is ok.

My configuration is:
conn work1
        closeaction=restart
        dpdaction=restart
        forceencaps=yes
        reauth=yes
        keyexchange=ikev2
        mobike=no
        ikelifetime=28800s
        keylife=7200s
        rekeymargin=10m
        keyingtries=%forever
        authby=secret
        right=server2.pub.ip
        rightsubnet=one.subnet.from.right.side
        rightid=server2.pub.ip
        rightfirewall=no
        left=server1.pub.ip
        leftsubnet=one.subnet.from.left.side
        leftid=server1.pub.ip
        auto=start


The question is, how to improve Server 1 ipsec.conf to be able to keep
SA's up always without manual interaction? I don't have access to
server 2.

Regards,
Kimmo