[strongSwan] keep tunnel alive
andreas.steffen at strongswan.org
Sat Apr 6 12:47:06 CEST 2013
It seems as if you didn't have a CHILD_SA in the first place.
Didn't the IKE negotiation complete successfully or did the
peer delete the CHILD_SA because of inactivity (e.g. Windows clients
do this after about 6 minutes). If the latter is the case then
I'd try dpdaction=route.
On 04/05/2013 01:19 PM, Arun G Nair wrote:
> I have dpd enabled.
> The issue is that when i connect, after a certain period without any
> traffic, from servers hosted behind peer to a web service behind
> strongswan, it doesn't connect. I have keep trying for some time before
> it connects to the web service. Peer is a fortigate box and this is a
> site to site vpn tunnel. I've attached the log. After looking in to the
> log, can someone tell me if it's the peer that's taking time to bring up
> the tunnel or is it strongswan ? I see below in the log. Does it mean
> the peer is not responding ? I don't have control over the peer vpn
> Apr 4 16:13:51 vpn01pp charon: 12[IKE] sending DPD request
> Apr 4 16:14:01 vpn01pp charon: 13[IKE] sending DPD request
> Apr 4 16:14:11 vpn01pp charon: 01[IKE] sending DPD request
> Apr 4 16:14:21 vpn01pp charon: 12[IKE] sending DPD request
> Apr 4 16:14:31 vpn01pp charon: 14[IKE] sending DPD request
> Apr 4 16:14:41 vpn01pp charon: 15[IKE] sending DPD request
> Apr 4 16:14:51 vpn01pp charon: 02[JOB] DPD check timed out, enforcing
> DPD action
> Apr 4 16:14:51 vpn01pp charon: 02[IKE] unable to reauthenticate IKE_SA,
> no CHILD_SA to recreate
> Thanks in advance.
> Arun G Nair
> On Thu, Apr 4, 2013 at 11:12 PM, Justin Cinkelj <justin.cinkelj at xlab.si
> <mailto:justin.cinkelj at xlab.si>> wrote:
> dpdaction, dpddelay and dpdtimeout are three relevant parameters.
> With DPD enabled, packet is sent every dpddelay seconds (when there
> is no normal traffic).
> With this three settings, client did auto reconnect if server exited
> normaly (or if server was killed with SIGHUP).
> But if server process was 'kill -9'-ed, things didn't work as
> expected (connection might come back, but only temporally).
> Server was strongswan 4.6.4, client 4.5.2 and IKEv2 was used.
> I'm interested how this will work for you, and what will be your
> final configuration.
> Bye Justin
> On 04/04/2013 04:13 PM, Arun G Nair wrote:
>> What can I do on strongswan to keep a tunnel alive even if
>> there's no traffic flowing ? I've dpdaction set to restart. What
>> else can be done ?
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
More information about the Users