[strongSwan] Strongswan needs periodic restart to re-enable traffic between sites

Andreas Steffen andreas.steffen at strongswan.org
Thu Apr 4 19:33:12 CEST 2013 

Hi Andreas,

from you ipsec.conf file I see that you configured

      dpddelay        = 30s
      dpdtimeout      = 20s

with dpdtimeout being shorter than dpdelay. This means that
your connection restarts before the first DPD check happens.
We recommend for dpdtimeout to be betwen 4-5 times higher
than dpddelay, so that the connection is cut only if 4-5
keep-alive packets are not received. In your case:

      dpddelay        = 30s
      dpdtimeout      = 150s

Regards

Andreas

On 03.04.2013 00:29, Andreas Ntaflos wrote:
> Hi,
>
> we have various Strongswan instances (4.5.2, Ubuntu 12.04) running and
> connecting to various remote sites (customers, partners, etc) we have no
> control over. Most remote sites use some kind of Checkpoint or Cisco
> device, one uses a Watchguard Firebox. All tunnels use IKEv1. An example
> Strongswan connection config is shown below.
>
> I have observed that when a connection/tunnel between our Strongswan
> endpoint and a remote site has been idle for too long (no idea how long
> exactly), i.e. no traffic went through the tunnel for some time, we need
> to restart Strongswan on our side to re-enable traffic to the remote
> site. Otherwise ping, SSH and anything else just time out. After a
> restart everything instantly works again as expected.
>
> This is very probably a configuration issue somewhere but I have no idea
> where to start looking. I'd suspect things like keylife and ikelifetime
> are candidates but as far as I can tell these two settings are the same
> and correct on both sides.
>
> I'd appreciate any hints on how to debug this.
>
> Thanks in advance,
>
> Andreas
>
> conn us.example.com--them.example.net
>      type            = tunnel
>      left            = x.y.167.219
>      leftid          = x.y.167.219
>      leftsubnet      = 10.1.63.0/24
>      right           = x.z.170.105
>      rightid         = x.z.170.105
>      rightsubnet     = 10.60.2.0/24
>      auth            = esp
>      pfs             = yes
>      pfsgroup        = modp1024
>      compress        = no
>      esp             = aes256-sha1!
>      ike             = aes256-sha1-modp1024!
>      ikelifetime     = 28800s
>      keylife         = 3600s
>      keyingtries     = %forever
>      keyexchange     = ikev1
>      authby          = psk
>      dpdaction       = restart
>      dpddelay        = 30s
>      dpdtimeout      = 20s
>      auto            = start

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130404/8a88c40f/attachment.bin>

More information about the Users mailing list