[strongSwan] Establishing CHILD_SA after one end of ipsec tunnel reboots

Michael C. Cambria mcc at fid4.com
Tue Dec 16 22:25:11 CET 2014

On 12/16/2014 03:54 PM, Noel Kuntze wrote:
> Hash: SHA256
> Hello Michael,
> There are two settings you can use to influence the behaviour of dpd:
> 'dpdaction' and 'uniqueids'.
> 'dpdaction' can be set to none, clear, hold and restart.
> One side should be set to "clear" and one side should be set to "restart", to
> ensure that the tunnel gets up properly.
I tried this, with no luck.  Does it matter which end gets which value?  
I set the end that doesn't not reboot to use clear based on what I read 


Note: I need this this to work (e.g. recover) regardless of which side 
reboots.  StrongSwan is being used for site to site.

> Another thing you can set is 'uniqueid'. It takes the different values. For a site-to-site
> connection, you probably want to set 'replace' there.

Right now, uniqueids=never.  I'll play with that value next, thanks.
> Refer to the man page of 'ipsec.conf' for all the details.
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> Am 16.12.2014 um 21:27 schrieb Michael C. Cambria:
>> Hi,
>> I'm looking for info on allowing a site to site IPsec tunnel to be re-established after an outage (e.g. one end of the tunnel reboots.)
>> On the surviving end, the IKEv2 SA looks like it detected the dead peer ("Tasks active: IKE_DPD")
>> Once the rebooting system recovers, a new IKEv2 SA is established.    But a new CHILD_SA cannot be created for some time.  Are there any configuration parameters related to when a new SA can be established?
>> Thanks,
>> MikeC
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
> Version: GnuPG v2
> JDrp+gQlZasNVbdCDUlA/jrpSmri+q9gqWaikAmwUsAILApM2trICxiGzdV1qylC
> uecRXL7RcBtjbatvdf5foEaBbrd7Sno04Y3YhdwpiuxuAYCQCyH+ReTZmTDEjb8Y
> H65g9w2/yMlbz0I3+0IN/SvAgpfkznsxa82carl7A3QZiuJKwXFGsWG7hc7qsXF1
> GeRVFTiSMYQfa3pZ4ROLy+ohIqtp+qRQn+whmSDy+Rc6q6jyvFTnT8dJYSBFC1sT
> W1ESJq1eXVxh8InjHORI7rw3/CzAgWq6yDbn4rJU37bemJhKlC9s21f3H4u0R0JD
> RINtOCTqvUzGAGBuvUeFSM7xHON1EHgvBsP5CRvnnOn3PGhk1Vu+7E9cLV6gU2g7
> gP4z3himqfpl0hzUZtCgdWKPMy4+BrgvyIhmgWUv0czZ/T23BzAdJ8Vx11tyT5ua
> vn1Z+BtjvLdDtS07bt3SfTxjzpD66V01UH6wvX5nTSHEt4siqUo44/FbEiaE982e
> EwZTnIvtLCDN7A1aFt9k420zdFsdDMuxyA+8COI3Pn36EvvKphkl0GfENVQIQgzD
> pt8n9OspQkv+yuBTdy+m
> =4G1L
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list