[strongSwan] keep tunnel alive

Arun G Nair arungnair at gmail.com
Mon Apr 8 22:25:30 CEST 2013


hello Andreas,

   Is dpdaction=route suppported ? I couldn't find it in the docs and
strongswan would not start if I provide it.

Regards,
Arun G Nair


On Sat, Apr 6, 2013 at 4:17 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> It seems as if you didn't have a CHILD_SA in the first place.
> Didn't the IKE negotiation complete successfully or did the
> peer delete the CHILD_SA because of inactivity (e.g. Windows clients
> do this after about 6 minutes). If the latter is the case then
> I'd try dpdaction=route.
>
> Regards
>
> Andreas
>
> On 04/05/2013 01:19 PM, Arun G Nair wrote:
> > I have dpd enabled.
> >
> >       dpdaction=restart
> >       dpddelay=10s
> >       dpdtimeout=60s
> >
> > The issue is that when i connect, after a certain period without any
> > traffic, from servers hosted behind peer to a web service behind
> > strongswan, it doesn't connect. I have keep trying for some time before
> > it connects to the web service. Peer is a fortigate box and this is a
> > site to site vpn tunnel. I've attached the log. After looking in to the
> > log, can someone tell me if it's the peer that's taking time to bring up
> > the tunnel or is it strongswan ? I see below in the log. Does it mean
> > the peer is not responding ? I don't have control over the peer vpn
> > (fortigate).
> >
> >
> > Apr  4 16:13:51 vpn01pp charon: 12[IKE] sending DPD request
> > Apr  4 16:14:01 vpn01pp charon: 13[IKE] sending DPD request
> > Apr  4 16:14:11 vpn01pp charon: 01[IKE] sending DPD request
> > Apr  4 16:14:21 vpn01pp charon: 12[IKE] sending DPD request
> > Apr  4 16:14:31 vpn01pp charon: 14[IKE] sending DPD request
> > Apr  4 16:14:41 vpn01pp charon: 15[IKE] sending DPD request
> > Apr  4 16:14:51 vpn01pp charon: 02[JOB] DPD check timed out, enforcing
> > DPD action
> > Apr  4 16:14:51 vpn01pp charon: 02[IKE] unable to reauthenticate IKE_SA,
> > no CHILD_SA to recreate
> >
> > Thanks in advance.
> >
> > Regards,
> > Arun G Nair
> >
> >
> > On Thu, Apr 4, 2013 at 11:12 PM, Justin Cinkelj <justin.cinkelj at xlab.si
> > <mailto:justin.cinkelj at xlab.si>> wrote:
> >
> >     dpdaction, dpddelay and dpdtimeout are three relevant parameters.
> >     With DPD enabled, packet is sent every dpddelay seconds (when there
> >     is no normal traffic).
> >     With this three settings, client did auto reconnect if server exited
> >     normaly (or if server was killed with SIGHUP).
> >
> >     But if server process was 'kill -9'-ed, things didn't work as
> >     expected (connection might come back, but only temporally).
> >     Server was strongswan 4.6.4, client 4.5.2 and IKEv2 was used.
> >
> >     I'm interested how this will work for you, and what will be your
> >     final configuration.
> >
> >     Bye Justin
> >
> >
> >     On 04/04/2013 04:13 PM, Arun G Nair wrote:
> >>     Hi,
> >>
> >>        What can I do on strongswan to keep a tunnel alive even if
> >>     there's no traffic flowing ? I've dpdaction set to restart. What
> >>     else can be done ?
> >>
> >>     Regards,
>
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>


-- 
::: Keep Smiling :::
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130409/446c2dee/attachment.html>


More information about the Users mailing list