[strongSwan] Keeping associations up.

Noel Kuntze noel at familie-kuntze.de
Thu Sep 11 19:37:33 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello James,

What version of strongSwan runs on the hosts?
Did you set "inactivity" anywhere?
By default, it's unset, so IKE SAs shouldn't expire.
You could have run into problems with IPsec SAs expiring and rekeying failing.
Some logs would be nice to further pinpoint the problem.
Also please supply your configuration files.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 11.09.2014 um 17:12 schrieb James Cloos:
> I've got a simple setup, with one central box and a small set of
> satelite boxen.  The satelites only need to use esp for sockets
> with the central box, and the central only for sockets with those
> satelites.
>
> The bandwidth used between central and each satelite is small,
> a weekly burst plus the occasional additional burst.
>
> I based it on the point-to-point transit examples on the web site.
>
> I created a CA for the auth.
>
> Most of the boxen run debian sid, one or two runs recent ubuntu.
>
> Initially, everything looked good.  But I recently noticed that the
> associations time out, allowing traffic to flow w/o esp.
>
> Right now, on the central, ipsec statusall shows everything in
> Connections:, but only two in Security Associations.
>
> Ipsec -L shows those two in the esp-related ruleset (one twice),
> plus another box which is not in ipsec statusall output at all.
>
> What do I need to do to keep the associations up full time and ensure
> that all sockects between central and each satelite use esp?
>
> I'd also like to make the iptables rules permanent.  Can that be done
> w/o breaking anything?
>
> Thanks.  It has been /many/ years since I last did anything with ipsec.
>
> -JimC

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUEd3dAAoJEDg5KY9j7GZY04cP/1FsinW3pq/MbEOUmF7ji+qK
y5IZVjhdM5KhzB0ONEUosBM8w8nK2QX3I4vZhYnZZxDcypOF1w0rLMuJOFGODx3u
uubFWVSbQJnzT8fFJDFnbTZ+qTOKhfW24GLq7AP+alKzkLoF3yns4HTylzuI/zrV
2p42/iq0SxgJEIzC7OfehhnwnTcJOP8Eyo9w296mZD41HvEkokq8jZzUzwzuVOum
+KsU6TUPLhFR38HfZiKPw0hLs76Wh0F19mrECSolWgUbULMwPW53glWvFdPOvpX1
wWF67m3SlTOMC27Ec9IXsiYSn3FIEjkd0C3XGY2mOencZnH/aqlICQxDJ7DFOYtl
bx4A+k6fJ1modWa9co+nB83fZAD9KFP+ff5hmh3WOtROGE9NXbH+i6lGcdoT1841
2lNcV5bwNPXlRjJcNMnpz+pdRrpL9khVA8XvKQs0EvoAodxoV1exTeTqJKbq4FMy
PfyqoZhxnhkHFa71+GO+Q/MTqm9VrE9t0q2ONi+JSeLuAWG/ZOkW8ptGhokfFIdu
iTYB4XRhKGwyM2dBgmPtTEWOL6rARDQJ+iNXHP+i1phFAnH3oLSRruAMckFA9RRW
G3uCqzr0fbNetcU8NgStjIhHG/cndNj8PkBzTIsqMVCZBANv1Wc4ygLKhhNO9iKP
HyuMfEA5V1pOPhgwJpT4
=oMI6
-----END PGP SIGNATURE-----




More information about the Users mailing list