[strongSwan] Random IPSEC IKE1 Dropping

Noel Kuntze noel at familie-kuntze.de
Thu Jul 10 21:45:43 CEST 2014

Hash: SHA256

Hello Bradley,

Without a log file, I can only assume, that the tunnel gets torn down, because the communication to the peers get severed.
I propose enabling dpd with dpdaction=restart, as well as closeaction=restart, so the tunnel gets reestablished, if it gets severed for some reason.

Noel Kuntze

GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 10.07.2014 19:42, schrieb Turnbough, Bradley E.:
> Can anyone help me out with this issue?  I know I have very few details to go off of, but at this point, I don't know what else is needed and what needs to be provided.
> Thanks,
> Brad
> ________________________________
> From: Turnbough, Bradley E.
> Sent: Wednesday, July 09, 2014 9:00 AM
> To: users at lists.strongswan.org
> Subject: Random IPSEC IKE1 Dropping
> Hello All,
> I'm currently running this config on an active strongswan box.  I am running CentOS 6.5 (fully patched) along side of strongswan version "Linux strongSwan U5.0.4/K2.6.32-431.3.1.el6.x86_6"
> We upgraded a while back from a version that still used pluto to this new version (which uses charon)  We've started to experience random conn drops (primarilly on sa-01 and sa-05.  The only way to resolve this that I've found is to perform a 'service strongswan restart' This is not the only conn which experiences this, so I'm thinking this may be a configuration issue or a bug.  The problem is, is I don't necessarily know much about ipsec.  I'm hoping someone can help me out.  Can anyone?  Please?
> conn customer-sa-01
>   auto=start
>   rightsubnet=A.0.0.0/8
>   also=customer-default
> conn customer-sa-02
>   auto=start
>   rightsubnet=B.C.0.0/16
>   also=customer-default
> conn customer-sa-03
>   auto=start
>   rightsubnet=D.E.0.0/16
>   also=customer-default
> conn customer-sa-04
>   auto=start
>   rightsubnet=F.G.0.0/15
>   also=customer-default
> conn customer-sa-05
>   auto=start
>   rightsubnet=H.I.0.0/15
>   also=customer-default
> conn customer-sa-06
>   auto=start
>   rightsubnet=J.K.0.0/16
>   also=customer-default
> conn customer-sa-07
>   auto=start
>   rightsubnet=L.M.0.0/16
>   also=customer-default
> conn customer-sa-08
>   auto=start
>   rightsubnet=N.O.P.Q/32
>   also=customer-default
> conn customer-default
>   keyingtries=%forever
>   authby=secret
>   left=R.S.T.U
>   leftsubnet=V.W.X.0/24
>   right=Y.Z.AA.BB
>   rightallowany=yes
>   keyexchange=ikev1
>   ikelifetime=480m
>   keylife=3600s
>   mobike=no
>   ike=aes256-sha1-modp1024
>   esp=3des-md5
> _____________________________________________________________ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated.
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the Users mailing list