[strongSwan] Establishing CHILD_SA after one end of ipsec tunnel reboots

Noel Kuntze noel at familie-kuntze.de
Tue Dec 16 21:54:21 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Michael,

There are two settings you can use to influence the behaviour of dpd:
'dpdaction' and 'uniqueids'.

'dpdaction' can be set to none, clear, hold and restart.
One side should be set to "clear" and one side should be set to "restart", to
ensure that the tunnel gets up properly.
Another thing you can set is 'uniqueid'. It takes the different values. For a site-to-site
connection, you probably want to set 'replace' there.
Refer to the man page of 'ipsec.conf' for all the details.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 16.12.2014 um 21:27 schrieb Michael C. Cambria:
>
> Hi,
>
> I'm looking for info on allowing a site to site IPsec tunnel to be re-established after an outage (e.g. one end of the tunnel reboots.)
>
> On the surviving end, the IKEv2 SA looks like it detected the dead peer ("Tasks active: IKE_DPD")
>
> Once the rebooting system recovers, a new IKEv2 SA is established.    But a new CHILD_SA cannot be created for some time.  Are there any configuration parameters related to when a new SA can be established?
>
> Thanks,
> MikeC
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUkJv7AAoJEDg5KY9j7GZYqC8P/AnrnRWM2xNta5g5JzVS6lZe
JDrp+gQlZasNVbdCDUlA/jrpSmri+q9gqWaikAmwUsAILApM2trICxiGzdV1qylC
uecRXL7RcBtjbatvdf5foEaBbrd7Sno04Y3YhdwpiuxuAYCQCyH+ReTZmTDEjb8Y
H65g9w2/yMlbz0I3+0IN/SvAgpfkznsxa82carl7A3QZiuJKwXFGsWG7hc7qsXF1
GeRVFTiSMYQfa3pZ4ROLy+ohIqtp+qRQn+whmSDy+Rc6q6jyvFTnT8dJYSBFC1sT
W1ESJq1eXVxh8InjHORI7rw3/CzAgWq6yDbn4rJU37bemJhKlC9s21f3H4u0R0JD
RINtOCTqvUzGAGBuvUeFSM7xHON1EHgvBsP5CRvnnOn3PGhk1Vu+7E9cLV6gU2g7
gP4z3himqfpl0hzUZtCgdWKPMy4+BrgvyIhmgWUv0czZ/T23BzAdJ8Vx11tyT5ua
nfCwOOVdgs+IGWK9IZdnyUUxfpUwC78mYLgP2lKTPOeJd2jJEBjgiYIBHpB+QKAJ
vn1Z+BtjvLdDtS07bt3SfTxjzpD66V01UH6wvX5nTSHEt4siqUo44/FbEiaE982e
EwZTnIvtLCDN7A1aFt9k420zdFsdDMuxyA+8COI3Pn36EvvKphkl0GfENVQIQgzD
pt8n9OspQkv+yuBTdy+m
=4G1L
-----END PGP SIGNATURE-----




More information about the Users mailing list