[strongSwan] Best practices regarding monitoring

Martin Willi martin at strongswan.org
Sun Jun 18 14:54:56 CEST 2017


Hi Peter

> So, am I correct to assume that you guys usually evaluate the output
> of `ipsec statusall`

Preferably I'd do that over vici [1], as it provides a much better
interface for various languages to query tunnel status or re-initiate
tunnels.

> Do you simply send pings to remote systems "behind" the VPN?

Actually out-of-sync state is quite uncommon at least with IKEv2. If
your peer looses CHILD_SAs but happily answers to DPD/liveness checks
on IKE, there is probably a bug somewhere. If a peer deletes a
CHILD_SA, it must signal that over IKE, hence its peer should notice
that. Even complex rekey collisions are actually defined, but probably
not all implementations handle them correctly. Also, you might consider
updating to 5.5.x, which brings some additional improvements regarding
collision exchanges.

> If there is no DPD that uses CHILD_SAs, there might be nothing else
> that you can do.

There isn't, as from a protocol level this is not needed in IKEv2 due
to the strict state synchronization it provides. Of course you could
use a short CHILD_SA rekeying interval to check its liveness, but that
isn't an optimal solution, either.

Regards
Martin

[1]https://wiki.strongswan.org/projects/strongswan/wiki/Vici


More information about the Users mailing list