[strongSwan] Strongswan needs periodic restart to re-enable traffic between sites

Andreas Ntaflos daff at pseudoterminal.org
Wed Apr 3 00:29:45 CEST 2013


we have various Strongswan instances (4.5.2, Ubuntu 12.04) running and
connecting to various remote sites (customers, partners, etc) we have no
control over. Most remote sites use some kind of Checkpoint or Cisco
device, one uses a Watchguard Firebox. All tunnels use IKEv1. An example
Strongswan connection config is shown below.

I have observed that when a connection/tunnel between our Strongswan
endpoint and a remote site has been idle for too long (no idea how long
exactly), i.e. no traffic went through the tunnel for some time, we need
to restart Strongswan on our side to re-enable traffic to the remote
site. Otherwise ping, SSH and anything else just time out. After a
restart everything instantly works again as expected.

This is very probably a configuration issue somewhere but I have no idea
where to start looking. I'd suspect things like keylife and ikelifetime
are candidates but as far as I can tell these two settings are the same
and correct on both sides.

I'd appreciate any hints on how to debug this.

Thanks in advance,


conn us.example.com--them.example.net
    type            = tunnel
    left            = x.y.167.219
    leftid          = x.y.167.219
    leftsubnet      =
    right           = x.z.170.105
    rightid         = x.z.170.105
    rightsubnet     =
    auth            = esp
    pfs             = yes
    pfsgroup        = modp1024
    compress        = no
    esp             = aes256-sha1!
    ike             = aes256-sha1-modp1024!
    ikelifetime     = 28800s
    keylife         = 3600s
    keyingtries     = %forever
    keyexchange     = ikev1
    authby          = psk
    dpdaction       = restart
    dpddelay        = 30s
    dpdtimeout      = 20s
    auto            = start

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130403/843812d0/attachment.pgp>

More information about the Users mailing list