[strongSwan] Strongswan needs periodic restart to re-enable traffic between sites
Andreas Ntaflos
daff at pseudoterminal.org
Wed Apr 3 00:29:45 CEST 2013
Hi,
we have various Strongswan instances (4.5.2, Ubuntu 12.04) running and
connecting to various remote sites (customers, partners, etc) we have no
control over. Most remote sites use some kind of Checkpoint or Cisco
device, one uses a Watchguard Firebox. All tunnels use IKEv1. An example
Strongswan connection config is shown below.
I have observed that when a connection/tunnel between our Strongswan
endpoint and a remote site has been idle for too long (no idea how long
exactly), i.e. no traffic went through the tunnel for some time, we need
to restart Strongswan on our side to re-enable traffic to the remote
site. Otherwise ping, SSH and anything else just time out. After a
restart everything instantly works again as expected.
This is very probably a configuration issue somewhere but I have no idea
where to start looking. I'd suspect things like keylife and ikelifetime
are candidates but as far as I can tell these two settings are the same
and correct on both sides.
I'd appreciate any hints on how to debug this.
Thanks in advance,
Andreas
conn us.example.com--them.example.net
type = tunnel
left = x.y.167.219
leftid = x.y.167.219
leftsubnet = 10.1.63.0/24
right = x.z.170.105
rightid = x.z.170.105
rightsubnet = 10.60.2.0/24
auth = esp
pfs = yes
pfsgroup = modp1024
compress = no
esp = aes256-sha1!
ike = aes256-sha1-modp1024!
ikelifetime = 28800s
keylife = 3600s
keyingtries = %forever
keyexchange = ikev1
authby = psk
dpdaction = restart
dpddelay = 30s
dpdtimeout = 20s
auto = start
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130403/843812d0/attachment.pgp>
More information about the Users
mailing list