[strongSwan] dpdaction=restart doesn't always bring up link
Miroslav Svoboda
goodmirek at goodmirek.cz
Sun Apr 26 23:10:36 CEST 2015
Thanks a lot for the explanation!
On Sunday, April 26, 2015 at 11:09:16 PM UTC+2, Noel Kuntze wrote:
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Don't use closeaction=restart.
> That option is only there for cases where the other side has
> a broken or incompatible implementation of IKE, where CHILD_SAs are
> deleted by the other side, although they are still needed.
>
> Using that option in cases, where it is not needed, will cause
> undesired behaviour.
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 26.04.2015 um 23:06 schrieb Miroslav Svoboda:
> > What about "closeaction=restart", may it help?
> >
> > On Sunday, April 26, 2015 at 7:49:55 PM UTC+2, Noel Kuntze wrote:
> >
> >
> > Hello Daniel,
> >
> > Try keyingtries=%forever
> >
> > Mit freundlichen Grüßen/Kind Regards,
> > Noel Kuntze
> >
> > GPG Key ID: 0x63EC6658
> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >
> > Am 26.04.2015 um 16:31 schrieb Daniel Pocock:
> >
> >
> > > I have StrongSWAN on an OpenWRT router
> >
> > > ipsec version reports:
> > > Linux strongSwan U5.0.4/K3.3.8
> >
> >
> > > Sometimes the DSL goes down and comes up again within a minute or so
> but
> > > the VPN doesn't always re-establish itself.
> >
> > > I have the following in /etc/ipsec.conf:
> >
> > > config setup
> > > # strictcrlpolicy=yes
> > > # uniqueids = no
> >
> > > # Add connections here.
> >
> > > conn vpn
> > > left=%defaultroute
> > > leftid=@wrt1.example.org <http://wrt1.example.org>
> > > leftcert=wrt1Cert.der
> > > leftsubnet=192.168.1.0/24,2001:1234:5678:0::/64 <
> http://192.168.1.0/24,2001:1234:5678:0::/64>
> > > leftfirewall=no
> > > lefthostaccess=no
> > > right=vpn.example.org <http://vpn.example.org>
> > > rightid=@vpn.example.org <http://vpn.example.org>
> > > rightsubnet=198.51.100.0/24,2001:abcd:1234:1000::/52 <
> http://198.51.100.0/24,2001:abcd:1234:1000::/52>
> > > keyexchange=ikev2
> > > auto=start
> > > dpdaction=restart
> >
> >
> > > Is there anything else I should do to ensure this VPN is always up?
> >
> > > The OpenWRT device almost always gets the same IP address from the
> ISP,
> > > but it is not guaranteed to be static, so it can only be started from
> > > OpenWRT and not from the other end of the link.
> >
> > > _______________________________________________
> > > Users mailing list
> > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > > https://lists.strongswan.org/mailman/listinfo/users <
> https://lists.strongswan.org/mailman/listinfo/users>
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > https://lists.strongswan.org/mailman/listinfo/users <
> https://lists.strongswan.org/mailman/listinfo/users>
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVPVP2AAoJEDg5KY9j7GZYrjkP/1BjyPyabjA8KCzRAftuhXXU
> 8K6WXrZ4SHt7wQJeIeLWx6rSf+8Lc9HoG+X6e7cs0jr6V8BTu/MQ2/wNCGSj6jPc
> cchEtyL82Ikl7R2IOr2RaiLVxRFFqjnuLcJQRddhyhDvry+sr6i8OeIBfVPeIzEU
> vNJzRFL5Vqb6Uu+vIY8XbTO/frL+RDLqZWPinsNJ4uNT996Ql2FSw4MPNbu/xQO+
> VqyqaPP2TFG4nEkWnXx2UYZe6tAyff8DsvgrWPE3H3jXpgGJndP1a0MnhP+TG6f4
> yTdDw60Vi/U+84P8WD06RgK76efgGFkq0Lrj1zu7IqEScVGG5uWA4ZhkxPlLnewH
> UvdmBE68J1pla2M6uu0yKbbcnvMqR0wr23sHY2Z/Kb4LZZ+pb+WDw5DfdjIsb4dx
> qkgqMhRkQuCBi05aFBMmQgpySLyIWuj6Lxtab7g3CDTEu5S0jv7QFZ9LiG3YWPV+
> DolTrL7GYhHif+2U1iVYOf7wLQ6Da+xdo674IB1HrauCvfC/it10DS32nk+2FeyQ
> lTQeuW1Sjcfz+LAqkwQBv/RCAUpjN5NngZM6w5FQmmAMbPYy3gPfnCEDa/U+kOqg
> XnLvgxSUhZrrZ1bRtcJMNjeF76Mn1BH2QjnWiqXV6GpaukoPGGO7GkndJ4yITGsv
> D3QDA1Rf/vYXuAR/sC3a
> =0XIE
> -----END PGP SIGNATURE-----
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150426/a9603b30/attachment.html>
More information about the Users
mailing list