[strongSwan] keep tunnel alive

Andreas Steffen andreas.steffen at strongswan.org
Mon Apr 8 23:20:35 CEST 2013 

Sorry, the option is called dpdaction=hold.

Andreas

On 04/08/2013 10:25 PM, Arun G Nair wrote:
> hello Andreas,
> 
>    Is dpdaction=route suppported ? I couldn't find it in the docs and
> strongswan would not start if I provide it.
> 
> Regards,
> Arun G Nair
> 
> 
> On Sat, Apr 6, 2013 at 4:17 PM, Andreas Steffen
> <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
> wrote:
> 
>     It seems as if you didn't have a CHILD_SA in the first place.
>     Didn't the IKE negotiation complete successfully or did the
>     peer delete the CHILD_SA because of inactivity (e.g. Windows clients
>     do this after about 6 minutes). If the latter is the case then
>     I'd try dpdaction=route.
> 
>     Regards
> 
>     Andreas
> 
>     On 04/05/2013 01:19 PM, Arun G Nair wrote:
>     > I have dpd enabled.
>     >
>     >       dpdaction=restart
>     >       dpddelay=10s
>     >       dpdtimeout=60s
>     >
>     > The issue is that when i connect, after a certain period without any
>     > traffic, from servers hosted behind peer to a web service behind
>     > strongswan, it doesn't connect. I have keep trying for some time
>     before
>     > it connects to the web service. Peer is a fortigate box and this is a
>     > site to site vpn tunnel. I've attached the log. After looking in
>     to the
>     > log, can someone tell me if it's the peer that's taking time to
>     bring up
>     > the tunnel or is it strongswan ? I see below in the log. Does it mean
>     > the peer is not responding ? I don't have control over the peer vpn
>     > (fortigate).
>     >
>     >
>     > Apr  4 16:13:51 vpn01pp charon: 12[IKE] sending DPD request
>     > Apr  4 16:14:01 vpn01pp charon: 13[IKE] sending DPD request
>     > Apr  4 16:14:11 vpn01pp charon: 01[IKE] sending DPD request
>     > Apr  4 16:14:21 vpn01pp charon: 12[IKE] sending DPD request
>     > Apr  4 16:14:31 vpn01pp charon: 14[IKE] sending DPD request
>     > Apr  4 16:14:41 vpn01pp charon: 15[IKE] sending DPD request
>     > Apr  4 16:14:51 vpn01pp charon: 02[JOB] DPD check timed out, enforcing
>     > DPD action
>     > Apr  4 16:14:51 vpn01pp charon: 02[IKE] unable to reauthenticate
>     IKE_SA,
>     > no CHILD_SA to recreate
>     >
>     > Thanks in advance.
>     >
>     > Regards,
>     > Arun G Nair
>     >
>     >
>     > On Thu, Apr 4, 2013 at 11:12 PM, Justin Cinkelj
>     <justin.cinkelj at xlab.si <mailto:justin.cinkelj at xlab.si>
>     > <mailto:justin.cinkelj at xlab.si <mailto:justin.cinkelj at xlab.si>>>
>     wrote:
>     >
>     >     dpdaction, dpddelay and dpdtimeout are three relevant parameters.
>     >     With DPD enabled, packet is sent every dpddelay seconds (when
>     there
>     >     is no normal traffic).
>     >     With this three settings, client did auto reconnect if server
>     exited
>     >     normaly (or if server was killed with SIGHUP).
>     >
>     >     But if server process was 'kill -9'-ed, things didn't work as
>     >     expected (connection might come back, but only temporally).
>     >     Server was strongswan 4.6.4, client 4.5.2 and IKEv2 was used.
>     >
>     >     I'm interested how this will work for you, and what will be your
>     >     final configuration.
>     >
>     >     Bye Justin
>     >
>     >
>     >     On 04/04/2013 04:13 PM, Arun G Nair wrote:
>     >>     Hi,
>     >>
>     >>        What can I do on strongswan to keep a tunnel alive even if
>     >>     there's no traffic flowing ? I've dpdaction set to restart. What
>     >>     else can be done ?
>     >>
>     >>     Regards,
> 
>     ======================================================================
>     Andreas Steffen                        
>     andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>
>     strongSwan - the Linux VPN Solution!              
>      www.strongswan.org <http://www.strongswan.org>
>     Institute for Internet Technologies and Applications
>     University of Applied Sciences Rapperswil
>     CH-8640 Rapperswil (Switzerland)
>     ===========================================================[ITA-HSR]==
> 
> 
> 
> 
> -- 
> ::: Keep Smiling :::


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130408/d54b5d6f/attachment.bin>

More information about the Users mailing list