[strongSwan] Automatic Tunnel Opening and Routing

Noel Kuntze noel at familie-kuntze.de
Wed Apr 29 07:55:20 CEST 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Jacques,

Do you have logs? I would like to see what strongSwan does and your operating system in particular,
as you do not use DPD, so a connection failure should not be detected and the policies and the tunnel state should remain up,
although no communication is possible. If this is wanted, is yours to decide.

Also, if your ultimate goal is to avoid leaking traffic, look at the "policy" match in iptables
and make creative use of it in *filter FORWARD.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 28.04.2015 um 11:19 schrieb Jacques Monin:
> Hello,
>
> I'm trying to configurate strongswan in order to have automatic tunnel opening and routing.
>
> The tunnel opens well on traffic detection, the routes are created and all works well. But if a network wire is unpluged, the routing is erased and I have to restart strongswan.
> Is there any way to avoid this ?
>
> Is this possible to have the routing and the virtual addresse adding done while the opening of the tunnel ?
> By using leftupdown="ipsec _updown"
>
> It seems that the only option to have automatic tunnel opening is to specify auto=route in ipsec.conf (I was hoping auto=add had the same behaviour).
> So is there any way to have automatic tunnel opening without initial routing ?
>
> Here my configuration :
>
> config setup
>
> conn %default
>         dpddelay=30
>         keyingtries=5
>         rekeymargin=120
>         dpdtimeout=120
>         keyexchange=ikev1
>         keylife=1h
>         ikelifetime=6h
>         authby=rsasig
>
> conn Visio
>         right=A.A.A.A
>         rightsubnet=172.16.1.0/24 <http://172.16.1.0/24>
>         rightid=%any
>
>         left=%defaultroute
>         leftsubnet=172.16.0.3/32 <http://172.16.0.3/32>
>         leftsourceip=172.16.0.3
>         leftcert=cert.pem
>         leftca=cacert.pem
>         leftsendcert=always
>
>         auto=route
>         type=tunnel
>         ike=aes256-sha2_256-modp1536
>         esp=aes256-sha2_256-modp1024
>
> Thanks for you help
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVQHJHAAoJEDg5KY9j7GZYnXUP/RxP9P/jWjS+r9toiM0sHyWj
hr5YQYjDfU/XdhpVWgMmvelVOYd0Frd52pf/k3+VJ1uWFwqwJUOjrg1N33ovAVt+
Lusp5xlEBMIDnDb7raPEsE1yGNreFwKKJIROmnwWlhlnh2HDC4g6Ke6leFX4rjyp
pFEuzKm5MwYv3+E2X6i8MoqRQXVPudnL5ZZPXmQ/xwzn+BesH+uMHfhWzXR67uo5
KiH9V2HqoHAggd3MiOA8wsYOoxD7bydoa4Y6dIJfDijCK58W+2t1Wu/XRpLrwSem
Qfy2yGlB+rQGoLGX6lcx8V87bdkX2khS5jik/KffapWU0i7cqcA8Zy5KQRek5y95
f6ruI+QWRu1pENj5ciVyAPGy3cuGJLaIWSjvUFdkiprmL3iaXbRQ9/tlnb4C1Up7
48MFGffEVAk7niomsU1l8mBQNrJRDDC0Lr6vK/V0vXutT0lP8qyQEduGZ4U+8u2L
XV+saUX8wd9LJ1MCm8Db5szHQEasNmck6OzboYMK5UDQapMmXQ98OgUqYOq3wqSO
8aP1C9g42smlqnV0IGnbWCaJ76PwwGNlLyFyTmKBFQPfRinVeyl893wHUyLs59kd
QEwsjMrBNaQjWjNhFlf1e596Q0ik/jYpjSCYnWf8VDxLEYtWou2O0BFyrz5BIT9Q
8rnXlGzABj2VQehkRUdY
=h2ws
-----END PGP SIGNATURE-----

More information about the Users mailing list