[strongSwan] Recommendations for dpdaction= and auto=

Daniel Pocock daniel at pocock.pro
Fri Sep 11 12:42:56 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



On 31/07/15 15:57, Noel Kuntze wrote:
> 
> Hello Tom,
> 
> Use auto=route and dpdaction=clear between sites with static IPs. 
> For connection between sites with mixed static and dynamic IPs, use
> auto=add and dpdaction=clear on the side with the static IP and
> auto=route and dpdaction=restart, or auto=route and
> dpdaction=clear on the side with the dynamic IP.
> 


I continue to have less than 100% consistent results with this

On a particular branch office site, I have OpenWRT with strongSwan 5.0.4

        auto=route
        dpdaction=clear
        dpddelay=30s
        keyingtries=%forever


and in the server site, strongSwan 5.0.4-3 on Debian, there is a
specific conn for this branch office, it contains:

        auto=add
        dpdaction=clear


Two things that I've noticed:

- - if the DSL restarts at the branch office, IPsec doesn't always come
back up unless I restart the processes manually.  I tried both
auto=start and auto=route

- - if it does bring up the link again, it shows up as established at
both ends, but things don't get through, e.g. making a TCP connection
to some service times out.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJV8rAvAAoJEOm1uwJp1aqDCO0P/Rk+8yZuZdvWaKZCDZizzs/C
2Bp2FhCIbcLotKT2YW6VaXwrQC3U+a7sN7OEfPLzH5xdKhasLMo3PHJj6BV8g42m
8imyxZcN8mPrl7DCX7YJvABrpL0yzEXL4mTgntHO5nh4ML6Zc8kK9puG9AE3wkQK
u8Das4xgRPgD79tKQfmrIatWesQutCQrMc4cW4P0AROr9sB+Xoy8l5sqvo9o95n4
iAaKPwJ+kT87XYQ+oKkcwVsfvS29AZ2o1VR2I/ZoT2Qng8fNZy9z0h3hU18pkvCz
l1GLN7exFw2b35M2C3O1gAgWIFgOMDK7Y2rFqnUssrKLb5m0p51w7olSABgMbE+e
TMjcedt0A9ju4+3KFOVCAUMXYoJDoc40yduOru7dmuPhc8hmPlo05RnXLUMScWks
1Qoell2950ptUTjPL4SA7mNn0m50P8w0/gx690NBQ1c2a2VS9qEGivuMAuKPXcPO
TrQ9d/apAiiqkHxUyiE4Yj4imtRxFxIcK0QhVCKujB+39FHvPdgti+qnQAxwX0x4
uQETkPzidKc/4rUoUeEnwCd8JNHFN417AbwTFD6Ev8cHP/i0ePECDEgwTFl57CPs
OFXSpF0L0rJj25fHXl496WltrFuh9JVgJ2/FStvFGsqGpa6lLf8JuvCoOpJDJ+rO
i65NE94Bi9UasWVjZRDl
=CsLo
-----END PGP SIGNATURE-----


More information about the Users mailing list