[strongSwan] Establishing CHILD_SA after one end of ipsec tunnel reboots
Michael C. Cambria
mcc at fid4.com
Tue Dec 16 22:25:11 CET 2014
On 12/16/2014 03:54 PM, Noel Kuntze wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Michael,
>
> There are two settings you can use to influence the behaviour of dpd:
> 'dpdaction' and 'uniqueids'.
>
> 'dpdaction' can be set to none, clear, hold and restart.
> One side should be set to "clear" and one side should be set to "restart", to
> ensure that the tunnel gets up properly.
I tried this, with no luck. Does it matter which end gets which value?
I set the end that doesn't not reboot to use clear based on what I read
here:
https://lists.strongswan.org/pipermail/users/2012-February/002537.html
Note: I need this this to work (e.g. recover) regardless of which side
reboots. StrongSwan is being used for site to site.
> Another thing you can set is 'uniqueid'. It takes the different values. For a site-to-site
> connection, you probably want to set 'replace' there.
Right now, uniqueids=never. I'll play with that value next, thanks.
> Refer to the man page of 'ipsec.conf' for all the details.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 16.12.2014 um 21:27 schrieb Michael C. Cambria:
>> Hi,
>>
>> I'm looking for info on allowing a site to site IPsec tunnel to be re-established after an outage (e.g. one end of the tunnel reboots.)
>>
>> On the surviving end, the IKEv2 SA looks like it detected the dead peer ("Tasks active: IKE_DPD")
>>
>> Once the rebooting system recovers, a new IKEv2 SA is established. But a new CHILD_SA cannot be created for some time. Are there any configuration parameters related to when a new SA can be established?
>>
>> Thanks,
>> MikeC
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJUkJv7AAoJEDg5KY9j7GZYqC8P/AnrnRWM2xNta5g5JzVS6lZe
> JDrp+gQlZasNVbdCDUlA/jrpSmri+q9gqWaikAmwUsAILApM2trICxiGzdV1qylC
> uecRXL7RcBtjbatvdf5foEaBbrd7Sno04Y3YhdwpiuxuAYCQCyH+ReTZmTDEjb8Y
> H65g9w2/yMlbz0I3+0IN/SvAgpfkznsxa82carl7A3QZiuJKwXFGsWG7hc7qsXF1
> GeRVFTiSMYQfa3pZ4ROLy+ohIqtp+qRQn+whmSDy+Rc6q6jyvFTnT8dJYSBFC1sT
> W1ESJq1eXVxh8InjHORI7rw3/CzAgWq6yDbn4rJU37bemJhKlC9s21f3H4u0R0JD
> RINtOCTqvUzGAGBuvUeFSM7xHON1EHgvBsP5CRvnnOn3PGhk1Vu+7E9cLV6gU2g7
> gP4z3himqfpl0hzUZtCgdWKPMy4+BrgvyIhmgWUv0czZ/T23BzAdJ8Vx11tyT5ua
> nfCwOOVdgs+IGWK9IZdnyUUxfpUwC78mYLgP2lKTPOeJd2jJEBjgiYIBHpB+QKAJ
> vn1Z+BtjvLdDtS07bt3SfTxjzpD66V01UH6wvX5nTSHEt4siqUo44/FbEiaE982e
> EwZTnIvtLCDN7A1aFt9k420zdFsdDMuxyA+8COI3Pn36EvvKphkl0GfENVQIQgzD
> pt8n9OspQkv+yuBTdy+m
> =4G1L
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list