[strongSwan] dpdaction=restart doesn't always bring up link
Noel Kuntze
noel at familie-kuntze.de
Sun Apr 26 23:09:12 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Don't use closeaction=restart.
That option is only there for cases where the other side has
a broken or incompatible implementation of IKE, where CHILD_SAs are
deleted by the other side, although they are still needed.
Using that option in cases, where it is not needed, will cause
undesired behaviour.
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 26.04.2015 um 23:06 schrieb Miroslav Svoboda:
> What about "closeaction=restart", may it help?
>
> On Sunday, April 26, 2015 at 7:49:55 PM UTC+2, Noel Kuntze wrote:
>
>
> Hello Daniel,
>
> Try keyingtries=%forever
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 26.04.2015 um 16:31 schrieb Daniel Pocock:
>
>
> > I have StrongSWAN on an OpenWRT router
>
> > ipsec version reports:
> > Linux strongSwan U5.0.4/K3.3.8
>
>
> > Sometimes the DSL goes down and comes up again within a minute or so but
> > the VPN doesn't always re-establish itself.
>
> > I have the following in /etc/ipsec.conf:
>
> > config setup
> > # strictcrlpolicy=yes
> > # uniqueids = no
>
> > # Add connections here.
>
> > conn vpn
> > left=%defaultroute
> > leftid=@wrt1.example.org <http://wrt1.example.org>
> > leftcert=wrt1Cert.der
> > leftsubnet=192.168.1.0/24,2001:1234:5678:0::/64 <http://192.168.1.0/24,2001:1234:5678:0::/64>
> > leftfirewall=no
> > lefthostaccess=no
> > right=vpn.example.org <http://vpn.example.org>
> > rightid=@vpn.example.org <http://vpn.example.org>
> > rightsubnet=198.51.100.0/24,2001:abcd:1234:1000::/52 <http://198.51.100.0/24,2001:abcd:1234:1000::/52>
> > keyexchange=ikev2
> > auto=start
> > dpdaction=restart
>
>
> > Is there anything else I should do to ensure this VPN is always up?
>
> > The OpenWRT device almost always gets the same IP address from the ISP,
> > but it is not guaranteed to be static, so it can only be started from
> > OpenWRT and not from the other end of the link.
>
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > https://lists.strongswan.org/mailman/listinfo/users <https://lists.strongswan.org/mailman/listinfo/users>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> https://lists.strongswan.org/mailman/listinfo/users <https://lists.strongswan.org/mailman/listinfo/users>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVPVP2AAoJEDg5KY9j7GZYrjkP/1BjyPyabjA8KCzRAftuhXXU
8K6WXrZ4SHt7wQJeIeLWx6rSf+8Lc9HoG+X6e7cs0jr6V8BTu/MQ2/wNCGSj6jPc
cchEtyL82Ikl7R2IOr2RaiLVxRFFqjnuLcJQRddhyhDvry+sr6i8OeIBfVPeIzEU
vNJzRFL5Vqb6Uu+vIY8XbTO/frL+RDLqZWPinsNJ4uNT996Ql2FSw4MPNbu/xQO+
VqyqaPP2TFG4nEkWnXx2UYZe6tAyff8DsvgrWPE3H3jXpgGJndP1a0MnhP+TG6f4
yTdDw60Vi/U+84P8WD06RgK76efgGFkq0Lrj1zu7IqEScVGG5uWA4ZhkxPlLnewH
UvdmBE68J1pla2M6uu0yKbbcnvMqR0wr23sHY2Z/Kb4LZZ+pb+WDw5DfdjIsb4dx
qkgqMhRkQuCBi05aFBMmQgpySLyIWuj6Lxtab7g3CDTEu5S0jv7QFZ9LiG3YWPV+
DolTrL7GYhHif+2U1iVYOf7wLQ6Da+xdo674IB1HrauCvfC/it10DS32nk+2FeyQ
lTQeuW1Sjcfz+LAqkwQBv/RCAUpjN5NngZM6w5FQmmAMbPYy3gPfnCEDa/U+kOqg
XnLvgxSUhZrrZ1bRtcJMNjeF76Mn1BH2QjnWiqXV6GpaukoPGGO7GkndJ4yITGsv
D3QDA1Rf/vYXuAR/sC3a
=0XIE
-----END PGP SIGNATURE-----
More information about the Users
mailing list