[strongSwan] keep tunnel alive

Arun G Nair arungnair at gmail.com
Fri Apr 5 13:19:44 CEST 2013 

I have dpd enabled.

      dpdaction=restart
      dpddelay=10s
      dpdtimeout=60s

The issue is that when i connect, after a certain period without any
traffic, from servers hosted behind peer to a web service behind
strongswan, it doesn't connect. I have keep trying for some time before it
connects to the web service. Peer is a fortigate box and this is a site to
site vpn tunnel. I've attached the log. After looking in to the log, can
someone tell me if it's the peer that's taking time to bring up the tunnel
or is it strongswan ? I see below in the log. Does it mean the peer is not
responding ? I don't have control over the peer vpn (fortigate).


Apr  4 16:13:51 vpn01pp charon: 12[IKE] sending DPD request
Apr  4 16:14:01 vpn01pp charon: 13[IKE] sending DPD request
Apr  4 16:14:11 vpn01pp charon: 01[IKE] sending DPD request
Apr  4 16:14:21 vpn01pp charon: 12[IKE] sending DPD request
Apr  4 16:14:31 vpn01pp charon: 14[IKE] sending DPD request
Apr  4 16:14:41 vpn01pp charon: 15[IKE] sending DPD request
Apr  4 16:14:51 vpn01pp charon: 02[JOB] DPD check timed out, enforcing DPD
action
Apr  4 16:14:51 vpn01pp charon: 02[IKE] unable to reauthenticate IKE_SA, no
CHILD_SA to recreate

Thanks in advance.

Regards,
Arun G Nair


On Thu, Apr 4, 2013 at 11:12 PM, Justin Cinkelj <justin.cinkelj at xlab.si>wrote:

>  dpdaction, dpddelay and dpdtimeout are three relevant parameters.
> With DPD enabled, packet is sent every dpddelay seconds (when there is no
> normal traffic).
> With this three settings, client did auto reconnect if server exited
> normaly (or if server was killed with SIGHUP).
>
> But if server process was 'kill -9'-ed, things didn't work as expected
> (connection might come back, but only temporally).
> Server was strongswan 4.6.4, client 4.5.2 and IKEv2 was used.
>
> I'm interested how this will work for you, and what will be your final
> configuration.
>
> Bye Justin
>
>
> On 04/04/2013 04:13 PM, Arun G Nair wrote:
>
> Hi,
>
>     What can I do on strongswan to keep a tunnel alive even if there's no
> traffic flowing ? I've dpdaction set to restart. What else can be done ?
>
>  Regards,
>
>  --
> ::: Keep Smiling :::
>
>
> _______________________________________________
> Users mailing listUsers at lists.strongswan.orghttps://lists.strongswan.org/mailman/listinfo/users
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>



-- 
::: Keep Smiling :::
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130405/eb262408/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vpn.log
Type: application/octet-stream
Size: 10723 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130405/eb262408/attachment.obj>

More information about the Users mailing list