[strongSwan] [potentially solved] Re: charon keeps sending "keep alive"

Achim Vollhardt avollhar at physik.uzh.ch
Mon Jan 4 14:24:25 CET 2016


I have added:

        inactivity = 180
        dpdaction = clear

to my ipsec.conf whil kills any left over connections after 3 min of
inactivity. This seems to do the trick. However, if there is a more
'official' way of doing it, please say so.

Best regards,
Achim


On 04.01.2016 11:57, Achim Vollhardt wrote:
> Charon and ipsec continue to send "keep alive" messages after the VPN
> client has disconnected. This is going on now for over 30 minutes and I
> am uncertain if this is supposed to happen or just a misconfiguration on
> my side. I have attached syslog and ipsec.conf, I hope this is sufficient.
> 
> Thank you,
> Achim Vollhardt
> 
> 
> 
> =================================
> /var/log/syslog:
> Jan  4 10:25:52 vpnpi ipsec[7882]: 11[KNL] interface ppp0 activated
> Jan  4 10:25:52 vpnpi ipsec[7882]: 06[KNL] 172.16.1.1 appeared on ppp0
> Jan  4 10:25:52 vpnpi ipsec[7882]: 07[KNL] 172.16.1.1 disappeared from ppp0
> Jan  4 10:25:52 vpnpi ipsec[7882]: 09[KNL] 172.16.1.1 appeared on ppp0
> Jan  4 10:25:52 vpnpi ipsec[7882]: 16[KNL] interface ppp0 deactivated
> Jan  4 10:25:52 vpnpi ipsec[7882]: 14[KNL] 172.16.1.1 disappeared from ppp0
> Jan  4 10:25:54 vpnpi ntpd[2691]: Deleting interface #6 ppp0,
> 172.16.1.1#123, interface stats: received=0, sent=0, dropped=0,
> active_time=65 secs
> Jan  4 10:25:54 vpnpi ntpd[2691]: peers refreshed
> Jan  4 10:25:57 vpnpi xl2tpd[790]: Unable to deliver closing message for
> tunnel 23563. Destroying anyway.
> Jan  4 10:26:16 vpnpi charon: 10[IKE] sending keep alive to
> 178.197.228.201[16385]
> Jan  4 10:26:36 vpnpi charon: 06[IKE] sending keep alive to
> 178.197.228.201[16385]
> Jan  4 10:26:56 vpnpi charon: 07[IKE] sending keep alive to
> 178.197.228.201[16385]
> Jan  4 10:27:16 vpnpi charon: 13[IKE] sending keep alive to
> 178.197.228.201[16385]
> Jan  4 10:27:36 vpnpi charon: 15[IKE] sending keep alive to
> 178.197.228.201[16385]
> Jan  4 10:27:56 vpnpi charon: 06[IKE] sending keep alive to
> 178.197.228.201[16385]
> 
> (seems to continue forever with the 20sec period..)
> 
> 
> 
> ===============================================================================000000
> 
> 
> 
> ipsec.conf:
> 
> # ipsec.conf - strongSwan IPsec configuration file
> 
> # basic configuration
> 
> config setup
>         # strictcrlpolicy=yes
>         # uniqueids = no
> 
> # Add connections here.
> 
> # Sample VPN connections
> 
> #conn sample-self-signed
> #      leftsubnet=10.1.0.0/16
> #      leftcert=selfCert.der
> #      leftsendcert=never
> #      right=192.168.0.2
> #      rightsubnet=10.2.0.0/16
> #      rightcert=peerCert.der
> #      auto=start
> 
> #conn sample-with-ca-cert
> #      leftsubnet=10.1.0.0/16
> #      leftcert=myCert.pem
> #      right=192.168.0.2
> #      rightsubnet=10.2.0.0/16
> #      rightid="C=CH, O=Linux strongSwan CN=peer name"
> #      auto=start
> 
> include /var/lib/strongswan/ipsec.conf.inc
> 
> conn vpnserver
>         type=transport
>         authby=secret
>         pfs=no
>         rekey=no
>         keyingtries=1
> 	left=%any
>         leftprotoport=udp/l2tp
>         leftid=@XXX.XXX.com            #removed for mail
>         right=%any
>         rightprotoport=udp/%any
>         auto=add
> 


More information about the Users mailing list