[strongSwan] Strongswan needs periodic restart to re-enable traffic between sites

Andreas Steffen andreas.steffen at strongswan.org
Thu Apr 4 19:33:12 CEST 2013

Hi Andreas,

from you ipsec.conf file I see that you configured

      dpddelay        = 30s
      dpdtimeout      = 20s

with dpdtimeout being shorter than dpdelay. This means that
your connection restarts before the first DPD check happens.
We recommend for dpdtimeout to be betwen 4-5 times higher
than dpddelay, so that the connection is cut only if 4-5
keep-alive packets are not received. In your case:

      dpddelay        = 30s
      dpdtimeout      = 150s



On 03.04.2013 00:29, Andreas Ntaflos wrote:
> Hi,
> we have various Strongswan instances (4.5.2, Ubuntu 12.04) running and
> connecting to various remote sites (customers, partners, etc) we have no
> control over. Most remote sites use some kind of Checkpoint or Cisco
> device, one uses a Watchguard Firebox. All tunnels use IKEv1. An example
> Strongswan connection config is shown below.
> I have observed that when a connection/tunnel between our Strongswan
> endpoint and a remote site has been idle for too long (no idea how long
> exactly), i.e. no traffic went through the tunnel for some time, we need
> to restart Strongswan on our side to re-enable traffic to the remote
> site. Otherwise ping, SSH and anything else just time out. After a
> restart everything instantly works again as expected.
> This is very probably a configuration issue somewhere but I have no idea
> where to start looking. I'd suspect things like keylife and ikelifetime
> are candidates but as far as I can tell these two settings are the same
> and correct on both sides.
> I'd appreciate any hints on how to debug this.
> Thanks in advance,
> Andreas
> conn us.example.com--them.example.net
>      type            = tunnel
>      left            = x.y.167.219
>      leftid          = x.y.167.219
>      leftsubnet      =
>      right           = x.z.170.105
>      rightid         = x.z.170.105
>      rightsubnet     =
>      auth            = esp
>      pfs             = yes
>      pfsgroup        = modp1024
>      compress        = no
>      esp             = aes256-sha1!
>      ike             = aes256-sha1-modp1024!
>      ikelifetime     = 28800s
>      keylife         = 3600s
>      keyingtries     = %forever
>      keyexchange     = ikev1
>      authby          = psk
>      dpdaction       = restart
>      dpddelay        = 30s
>      dpdtimeout      = 20s
>      auto            = start

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130404/8a88c40f/attachment.bin>

More information about the Users mailing list