[strongSwan] Recommendations for dpdaction= and auto=

Tom Rymes trymes at rymes.com
Fri Jul 31 16:08:40 CEST 2015


Thank you, Noel. I will move forward with those recommendations and work to get the IPFire (the distribution we use) WUI updated to allow the auto= changes.

Tom

> On Jul 31, 2015, at 9:57 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Hello Tom,
> 
> Use auto=route and dpdaction=clear between sites with static IPs.
> For connection between sites with mixed static and dynamic IPs,
> use auto=add and dpdaction=clear on the side with the static IP
> and auto=route and dpdaction=restart, or auto=route and dpdaction=clear
> on the side with the dynamic IP.
> 
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
> 
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> 
>> Am 30.07.2015 um 18:18 schrieb Tom Rymes:
>> We have a number of sites connected via StrongSwan IKEv2 tunnels, and I was hoping that someone might provide me with the recommended settings for dpdaction and auto, given our setup. I think have a reasonable handle on this, but I wanted to ask in case I was doing anything that might result in reduced reliability or fault tolerance.
>> 
>> 1.) Two main offices with static IPs, Phone, file, print, and database servers.
>> 2.) Multiple branch office, most with static IPs, a few with Dynamic IPs, client PCs and SIP phones. Each branch has two tunnels, one to each main office.
>> 
>> I am fairly certain that I was previously told to set dpdaction=restart in the main offices and dpdaction=clear in the branches, but I am not certain what I should be doing with the auto= directive.
>> 
>> The main goal is reliability of the tunnels and a reduced need to restart tunnels manually when one side or the other loses connectivity.
>> 
>> Many thanks,
>> 
>> Tom
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> 
> iQIcBAEBCAAGBQJVu37JAAoJEDg5KY9j7GZYSxYP/jEbVSVtJLUZP8KZ6858Ha8j
> dBEJ1i/u7d/DrGQGRYR65CZR40mm9+FOuxZk+sIo9mzusfWfx4DEjVG1zgyZ6He9
> X8NcHotRuFgFN11UQ0AigdIVK0KB0NomMxX74nPHGXcmQht3jUuk4JANsDV6R0La
> MqF06vnVkYRz+mtR8jqmOZSU+CYWf7VZLUbQgvRPUGArearfhNVzUhmedayoM0xj
> jfFcW2Zb2Ay++IgGQce8z3zssEtU1l1ja6FxuMJAkc/IsDlLUHFuFRw2j8k65V5d
> zLZ9ND8UNIuwX0p8MNvakMa2tu3BcgYSwhypEDyyLI8LvFsZOEm8vVlCdAxQo0TE
> pkGdaPbksKmj7KnDgd5W+DvT6Up051t4LI669nmQugHdKVJfaw4Flkt9WKT4xcrX
> 58kF80e93XYH8IgQsZHaNpMwaJdeJnwBtWzQVJ0HuQ6Q0KMLniwfQSbxA4/7cvYj
> xainZ7Dkt4K5P5Rlj2YPm8WmJxDyanhzSRuSaJHSdjdfQBqSLM7gQNCDoYO9aHMC
> Omdx1tHdTTkFzzxbeE2z/g2DFvR/Ks2b8uNA9up9i2JWR/r+mthjumqiCIVU8IKq
> BWnvKDSJy1xaUjIiUhp1Sl64WoSgibM5v81OlA1qlorZAbvV5+HCpAQHnRzGtbUH
> AMtGdS32ViR3ZODVMcz2
> =8wS0
> -----END PGP SIGNATURE-----
> 


More information about the Users mailing list