[strongSwan] Recommendations for dpdaction= and auto=

Noel Kuntze noel at familie-kuntze.de
Fri Jul 31 15:57:29 CEST 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Tom,

Use auto=route and dpdaction=clear between sites with static IPs.
For connection between sites with mixed static and dynamic IPs,
use auto=add and dpdaction=clear on the side with the static IP
and auto=route and dpdaction=restart, or auto=route and dpdaction=clear
on the side with the dynamic IP.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 30.07.2015 um 18:18 schrieb Tom Rymes:
> We have a number of sites connected via StrongSwan IKEv2 tunnels, and I was hoping that someone might provide me with the recommended settings for dpdaction and auto, given our setup. I think have a reasonable handle on this, but I wanted to ask in case I was doing anything that might result in reduced reliability or fault tolerance.
>
> 1.) Two main offices with static IPs, Phone, file, print, and database servers.
> 2.) Multiple branch office, most with static IPs, a few with Dynamic IPs, client PCs and SIP phones. Each branch has two tunnels, one to each main office.
>
> I am fairly certain that I was previously told to set dpdaction=restart in the main offices and dpdaction=clear in the branches, but I am not certain what I should be doing with the auto= directive.
>
> The main goal is reliability of the tunnels and a reduced need to restart tunnels manually when one side or the other loses connectivity.
>
> Many thanks,
>
> Tom
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVu37JAAoJEDg5KY9j7GZYSxYP/jEbVSVtJLUZP8KZ6858Ha8j
dBEJ1i/u7d/DrGQGRYR65CZR40mm9+FOuxZk+sIo9mzusfWfx4DEjVG1zgyZ6He9
X8NcHotRuFgFN11UQ0AigdIVK0KB0NomMxX74nPHGXcmQht3jUuk4JANsDV6R0La
MqF06vnVkYRz+mtR8jqmOZSU+CYWf7VZLUbQgvRPUGArearfhNVzUhmedayoM0xj
jfFcW2Zb2Ay++IgGQce8z3zssEtU1l1ja6FxuMJAkc/IsDlLUHFuFRw2j8k65V5d
zLZ9ND8UNIuwX0p8MNvakMa2tu3BcgYSwhypEDyyLI8LvFsZOEm8vVlCdAxQo0TE
pkGdaPbksKmj7KnDgd5W+DvT6Up051t4LI669nmQugHdKVJfaw4Flkt9WKT4xcrX
58kF80e93XYH8IgQsZHaNpMwaJdeJnwBtWzQVJ0HuQ6Q0KMLniwfQSbxA4/7cvYj
xainZ7Dkt4K5P5Rlj2YPm8WmJxDyanhzSRuSaJHSdjdfQBqSLM7gQNCDoYO9aHMC
Omdx1tHdTTkFzzxbeE2z/g2DFvR/Ks2b8uNA9up9i2JWR/r+mthjumqiCIVU8IKq
BWnvKDSJy1xaUjIiUhp1Sl64WoSgibM5v81OlA1qlorZAbvV5+HCpAQHnRzGtbUH
AMtGdS32ViR3ZODVMcz2
=8wS0
-----END PGP SIGNATURE-----

More information about the Users mailing list