[strongSwan] 102x102 Host2Host tunnels - failure to reestablish some of them after network outage
Martin Willi
martin at strongswan.org
Tue Jul 8 10:03:53 CEST 2014
Jiri,
> Our requirement is to keep retrying the tunnel no matter what happens,
> so I ended up with config like below for each host.
> It seems that strongswan just stopped trying to connect to
> some of the nodes (the failed "tunnels" are between different nodes, the
> distribution seems to be random). I am out of ideas why strongswan gave
> up trying and how to force real "forever retry".
> keyingtries=%forever
> dpdaction=restart
> closeaction=restart
> auto=start
Even with such a configuration, there is no guarantee that your tunnel
comes up. strongSwan gives up tunnel negotiation if it fails with a
permanent error.
To realize always-up tunnels, I recommend to use auto=route for your
connections. This installs trap policies, and negotiates tunnels on
demand. The kernel ensures that no matching plain traffic leaves your
box, but instead it triggers a new tunnel should one fail for whatever
reason.
Regards
Martin
More information about the Users
mailing list