[strongSwan] Strongswan needs periodic restart to re-enable traffic between sites
andreas.steffen at strongswan.org
Thu Apr 4 19:33:12 CEST 2013
from you ipsec.conf file I see that you configured
dpddelay = 30s
dpdtimeout = 20s
with dpdtimeout being shorter than dpdelay. This means that
your connection restarts before the first DPD check happens.
We recommend for dpdtimeout to be betwen 4-5 times higher
than dpddelay, so that the connection is cut only if 4-5
keep-alive packets are not received. In your case:
dpddelay = 30s
dpdtimeout = 150s
On 03.04.2013 00:29, Andreas Ntaflos wrote:
> we have various Strongswan instances (4.5.2, Ubuntu 12.04) running and
> connecting to various remote sites (customers, partners, etc) we have no
> control over. Most remote sites use some kind of Checkpoint or Cisco
> device, one uses a Watchguard Firebox. All tunnels use IKEv1. An example
> Strongswan connection config is shown below.
> I have observed that when a connection/tunnel between our Strongswan
> endpoint and a remote site has been idle for too long (no idea how long
> exactly), i.e. no traffic went through the tunnel for some time, we need
> to restart Strongswan on our side to re-enable traffic to the remote
> site. Otherwise ping, SSH and anything else just time out. After a
> restart everything instantly works again as expected.
> This is very probably a configuration issue somewhere but I have no idea
> where to start looking. I'd suspect things like keylife and ikelifetime
> are candidates but as far as I can tell these two settings are the same
> and correct on both sides.
> I'd appreciate any hints on how to debug this.
> Thanks in advance,
> conn us.example.com--them.example.net
> type = tunnel
> left = x.y.167.219
> leftid = x.y.167.219
> leftsubnet = 10.1.63.0/24
> right = x.z.170.105
> rightid = x.z.170.105
> rightsubnet = 10.60.2.0/24
> auth = esp
> pfs = yes
> pfsgroup = modp1024
> compress = no
> esp = aes256-sha1!
> ike = aes256-sha1-modp1024!
> ikelifetime = 28800s
> keylife = 3600s
> keyingtries = %forever
> keyexchange = ikev1
> authby = psk
> dpdaction = restart
> dpddelay = 30s
> dpdtimeout = 20s
> auto = start
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
More information about the Users