[strongSwan] Keeping associations up.
noel at familie-kuntze.de
Thu Sep 11 19:37:33 CEST 2014
-----BEGIN PGP SIGNED MESSAGE-----
What version of strongSwan runs on the hosts?
Did you set "inactivity" anywhere?
By default, it's unset, so IKE SAs shouldn't expire.
You could have run into problems with IPsec SAs expiring and rekeying failing.
Some logs would be nice to further pinpoint the problem.
Also please supply your configuration files.
Mit freundlichen Grüßen/Regards,
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 11.09.2014 um 17:12 schrieb James Cloos:
> I've got a simple setup, with one central box and a small set of
> satelite boxen. The satelites only need to use esp for sockets
> with the central box, and the central only for sockets with those
> The bandwidth used between central and each satelite is small,
> a weekly burst plus the occasional additional burst.
> I based it on the point-to-point transit examples on the web site.
> I created a CA for the auth.
> Most of the boxen run debian sid, one or two runs recent ubuntu.
> Initially, everything looked good. But I recently noticed that the
> associations time out, allowing traffic to flow w/o esp.
> Right now, on the central, ipsec statusall shows everything in
> Connections:, but only two in Security Associations.
> Ipsec -L shows those two in the esp-related ruleset (one twice),
> plus another box which is not in ipsec statusall output at all.
> What do I need to do to keep the associations up full time and ensure
> that all sockects between central and each satelite use esp?
> I'd also like to make the iptables rules permanent. Can that be done
> w/o breaking anything?
> Thanks. It has been /many/ years since I last did anything with ipsec.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the Users