[strongSwan] Recommendations for dpdaction= and auto=
trymes at rymes.com
Fri Jul 31 16:08:40 CEST 2015
Thank you, Noel. I will move forward with those recommendations and work to get the IPFire (the distribution we use) WUI updated to allow the auto= changes.
> On Jul 31, 2015, at 9:57 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> Hello Tom,
> Use auto=route and dpdaction=clear between sites with static IPs.
> For connection between sites with mixed static and dynamic IPs,
> use auto=add and dpdaction=clear on the side with the static IP
> and auto=route and dpdaction=restart, or auto=route and dpdaction=clear
> on the side with the dynamic IP.
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>> Am 30.07.2015 um 18:18 schrieb Tom Rymes:
>> We have a number of sites connected via StrongSwan IKEv2 tunnels, and I was hoping that someone might provide me with the recommended settings for dpdaction and auto, given our setup. I think have a reasonable handle on this, but I wanted to ask in case I was doing anything that might result in reduced reliability or fault tolerance.
>> 1.) Two main offices with static IPs, Phone, file, print, and database servers.
>> 2.) Multiple branch office, most with static IPs, a few with Dynamic IPs, client PCs and SIP phones. Each branch has two tunnels, one to each main office.
>> I am fairly certain that I was previously told to set dpdaction=restart in the main offices and dpdaction=clear in the branches, but I am not certain what I should be doing with the auto= directive.
>> The main goal is reliability of the tunnels and a reduced need to restart tunnels manually when one side or the other loses connectivity.
>> Many thanks,
>> Users mailing list
>> Users at lists.strongswan.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> -----END PGP SIGNATURE-----
More information about the Users