[strongSwan] Keeping associations up.

James Cloos cloos at jhcloos.com
Thu Sep 11 17:12:59 CEST 2014


I've got a simple setup, with one central box and a small set of
satelite boxen.  The satelites only need to use esp for sockets
with the central box, and the central only for sockets with those
satelites.

The bandwidth used between central and each satelite is small,
a weekly burst plus the occasional additional burst.

I based it on the point-to-point transit examples on the web site.

I created a CA for the auth.

Most of the boxen run debian sid, one or two runs recent ubuntu.

Initially, everything looked good.  But I recently noticed that the
associations time out, allowing traffic to flow w/o esp.

Right now, on the central, ipsec statusall shows everything in
Connections:, but only two in Security Associations.

Ipsec -L shows those two in the esp-related ruleset (one twice),
plus another box which is not in ipsec statusall output at all.

What do I need to do to keep the associations up full time and ensure
that all sockects between central and each satelite use esp?

I'd also like to make the iptables rules permanent.  Can that be done
w/o breaking anything?

Thanks.  It has been /many/ years since I last did anything with ipsec.

-JimC
-- 
James Cloos <cloos at jhcloos.com>         OpenPGP: 0x997A9F17ED7DAEA6


More information about the Users mailing list