[strongSwan] keep tunnel alive
Arun G Nair
arungnair at gmail.com
Mon Apr 8 22:25:30 CEST 2013
Is dpdaction=route suppported ? I couldn't find it in the docs and
strongswan would not start if I provide it.
Arun G Nair
On Sat, Apr 6, 2013 at 4:17 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:
> It seems as if you didn't have a CHILD_SA in the first place.
> Didn't the IKE negotiation complete successfully or did the
> peer delete the CHILD_SA because of inactivity (e.g. Windows clients
> do this after about 6 minutes). If the latter is the case then
> I'd try dpdaction=route.
> On 04/05/2013 01:19 PM, Arun G Nair wrote:
> > I have dpd enabled.
> > dpdaction=restart
> > dpddelay=10s
> > dpdtimeout=60s
> > The issue is that when i connect, after a certain period without any
> > traffic, from servers hosted behind peer to a web service behind
> > strongswan, it doesn't connect. I have keep trying for some time before
> > it connects to the web service. Peer is a fortigate box and this is a
> > site to site vpn tunnel. I've attached the log. After looking in to the
> > log, can someone tell me if it's the peer that's taking time to bring up
> > the tunnel or is it strongswan ? I see below in the log. Does it mean
> > the peer is not responding ? I don't have control over the peer vpn
> > (fortigate).
> > Apr 4 16:13:51 vpn01pp charon: 12[IKE] sending DPD request
> > Apr 4 16:14:01 vpn01pp charon: 13[IKE] sending DPD request
> > Apr 4 16:14:11 vpn01pp charon: 01[IKE] sending DPD request
> > Apr 4 16:14:21 vpn01pp charon: 12[IKE] sending DPD request
> > Apr 4 16:14:31 vpn01pp charon: 14[IKE] sending DPD request
> > Apr 4 16:14:41 vpn01pp charon: 15[IKE] sending DPD request
> > Apr 4 16:14:51 vpn01pp charon: 02[JOB] DPD check timed out, enforcing
> > DPD action
> > Apr 4 16:14:51 vpn01pp charon: 02[IKE] unable to reauthenticate IKE_SA,
> > no CHILD_SA to recreate
> > Thanks in advance.
> > Regards,
> > Arun G Nair
> > On Thu, Apr 4, 2013 at 11:12 PM, Justin Cinkelj <justin.cinkelj at xlab.si
> > <mailto:justin.cinkelj at xlab.si>> wrote:
> > dpdaction, dpddelay and dpdtimeout are three relevant parameters.
> > With DPD enabled, packet is sent every dpddelay seconds (when there
> > is no normal traffic).
> > With this three settings, client did auto reconnect if server exited
> > normaly (or if server was killed with SIGHUP).
> > But if server process was 'kill -9'-ed, things didn't work as
> > expected (connection might come back, but only temporally).
> > Server was strongswan 4.6.4, client 4.5.2 and IKEv2 was used.
> > I'm interested how this will work for you, and what will be your
> > final configuration.
> > Bye Justin
> > On 04/04/2013 04:13 PM, Arun G Nair wrote:
> >> Hi,
> >> What can I do on strongswan to keep a tunnel alive even if
> >> there's no traffic flowing ? I've dpdaction set to restart. What
> >> else can be done ?
> >> Regards,
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
::: Keep Smiling :::
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users