[strongSwan] keep tunnel alive

Andreas Steffen andreas.steffen at strongswan.org
Sat Apr 6 12:47:06 CEST 2013

It seems as if you didn't have a CHILD_SA in the first place.
Didn't the IKE negotiation complete successfully or did the
peer delete the CHILD_SA because of inactivity (e.g. Windows clients
do this after about 6 minutes). If the latter is the case then
I'd try dpdaction=route.



On 04/05/2013 01:19 PM, Arun G Nair wrote:
> I have dpd enabled.
>       dpdaction=restart
>       dpddelay=10s
>       dpdtimeout=60s
> The issue is that when i connect, after a certain period without any
> traffic, from servers hosted behind peer to a web service behind
> strongswan, it doesn't connect. I have keep trying for some time before
> it connects to the web service. Peer is a fortigate box and this is a
> site to site vpn tunnel. I've attached the log. After looking in to the
> log, can someone tell me if it's the peer that's taking time to bring up
> the tunnel or is it strongswan ? I see below in the log. Does it mean
> the peer is not responding ? I don't have control over the peer vpn
> (fortigate).
> Apr  4 16:13:51 vpn01pp charon: 12[IKE] sending DPD request
> Apr  4 16:14:01 vpn01pp charon: 13[IKE] sending DPD request
> Apr  4 16:14:11 vpn01pp charon: 01[IKE] sending DPD request
> Apr  4 16:14:21 vpn01pp charon: 12[IKE] sending DPD request
> Apr  4 16:14:31 vpn01pp charon: 14[IKE] sending DPD request
> Apr  4 16:14:41 vpn01pp charon: 15[IKE] sending DPD request
> Apr  4 16:14:51 vpn01pp charon: 02[JOB] DPD check timed out, enforcing
> DPD action 
> Apr  4 16:14:51 vpn01pp charon: 02[IKE] unable to reauthenticate IKE_SA,
> no CHILD_SA to recreate
> Thanks in advance.
> Regards,
> Arun G Nair
> On Thu, Apr 4, 2013 at 11:12 PM, Justin Cinkelj <justin.cinkelj at xlab.si
> <mailto:justin.cinkelj at xlab.si>> wrote:
>     dpdaction, dpddelay and dpdtimeout are three relevant parameters.
>     With DPD enabled, packet is sent every dpddelay seconds (when there
>     is no normal traffic).
>     With this three settings, client did auto reconnect if server exited
>     normaly (or if server was killed with SIGHUP).
>     But if server process was 'kill -9'-ed, things didn't work as
>     expected (connection might come back, but only temporally).
>     Server was strongswan 4.6.4, client 4.5.2 and IKEv2 was used.
>     I'm interested how this will work for you, and what will be your
>     final configuration.
>     Bye Justin
>     On 04/04/2013 04:13 PM, Arun G Nair wrote:
>>     Hi,
>>        What can I do on strongswan to keep a tunnel alive even if
>>     there's no traffic flowing ? I've dpdaction set to restart. What
>>     else can be done ?
>>     Regards,

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130406/7fab523c/attachment.bin>

More information about the Users mailing list