[strongSwan] Random IPSEC IKE1 Dropping

Thu Jul 10 21:45:43 CEST 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Bradley,

Without a log file, I can only assume, that the tunnel gets torn down, because the communication to the peers get severed.
I propose enabling dpd with dpdaction=restart, as well as closeaction=restart, so the tunnel gets reestablished, if it gets severed for some reason.

Regards,
Noel Kuntze

GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 10.07.2014 19:42, schrieb Turnbough, Bradley E.:
> Can anyone help me out with this issue?  I know I have very few details to go off of, but at this point, I don't know what else is needed and what needs to be provided.
>
> Thanks,
>
> Brad
> ________________________________
> From: Turnbough, Bradley E.
> Sent: Wednesday, July 09, 2014 9:00 AM
> To: users at lists.strongswan.org
> Subject: Random IPSEC IKE1 Dropping
>
> Hello All,
>
> I'm currently running this config on an active strongswan box.  I am running CentOS 6.5 (fully patched) along side of strongswan version "Linux strongSwan U5.0.4/K2.6.32-431.3.1.el6.x86_6"
>
> We upgraded a while back from a version that still used pluto to this new version (which uses charon)  We've started to experience random conn drops (primarilly on sa-01 and sa-05.  The only way to resolve this that I've found is to perform a 'service strongswan restart' This is not the only conn which experiences this, so I'm thinking this may be a configuration issue or a bug.  The problem is, is I don't necessarily know much about ipsec.  I'm hoping someone can help me out.  Can anyone?  Please?
>
> conn customer-sa-01
>   auto=start
>   rightsubnet=A.0.0.0/8
>   also=customer-default
>
> conn customer-sa-02
>   auto=start
>   rightsubnet=B.C.0.0/16
>   also=customer-default
>
> conn customer-sa-03
>   auto=start
>   rightsubnet=D.E.0.0/16
>   also=customer-default
>
> conn customer-sa-04
>   auto=start
>   rightsubnet=F.G.0.0/15
>   also=customer-default
>
> conn customer-sa-05
>   auto=start
>   rightsubnet=H.I.0.0/15
>   also=customer-default
>
> conn customer-sa-06
>   auto=start
>   rightsubnet=J.K.0.0/16
>   also=customer-default
>
> conn customer-sa-07
>   auto=start
>   rightsubnet=L.M.0.0/16
>   also=customer-default
>
> conn customer-sa-08
>   auto=start
>   rightsubnet=N.O.P.Q/32
>   also=customer-default
>
> conn customer-default
>   keyingtries=%forever
>   authby=secret
>   left=R.S.T.U
>   leftsubnet=V.W.X.0/24
>   right=Y.Z.AA.BB
>   rightallowany=yes
>   keyexchange=ikev1
>   ikelifetime=480m
>   keylife=3600s
>   mobike=no
>   ike=aes256-sha1-modp1024
>   esp=3des-md5
>
>
> _____________________________________________________________ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated.
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTvu1nAAoJEDg5KY9j7GZYu6kP/38/l/0HtxYyEV1EDL4L+pi7
IsAoq07QwRFVOFn5LfAjbALfslPTyINoI+0dAxPcFSFxdvid2VgySoisTJctg+D3
Mxej/saCcsZFiJ7lUI62AeCpRpd7im8O6C24XhaNEbls4f0acwVCXjSK3awxnB0j
oWfhsB8SoC9xCGiVIpHbrBvUrlSD3EvCKuY7TMmZXHlkP3TZBCRakTGSMVr6pWSp
2M4sGrVrxapUrRh7Z4YonrAY6k9j9klTtqh6TOuIveP3gQntPLl38gkzGVhhOATB
0eZrxrGmEzujuEhxCyx0UH7mtwS6VGwsJzTmSXMU+2qU2mJmRJxgm6FTaRnzDHOQ
3wrgRVV2gsYHZCfhNipICBKB+TQtHDo+Cvem/U28H8PSsa47aLPOCbTy31TNK3SU
8hcNYQnWWZj6Ldu8knsAW7J+P/ERm/SD86W4DoHWaSoTzYtdJUsP4JIoMBHBY7JE
XkQZrJpIEPIDsErkM9LOSGygrnZV3SZ1n804g114dfSO6DaIIq7ZEe7OQYsl4SKB
EziYAbZXJJIUUazfLihUpCkxCKIo1pl/cvkDjpoAKyyjHK1AWfxx6lZUsiFZfNlw
feZmnHbg4yKK73d2cQ+wXQh2YcVzHJaene4rwrCEcdajVUSFdwLxxHr0hU6v8mOu
lZNO9GrUWRrxd9+PgeL/
=xG9s
-----END PGP SIGNATURE-----