[strongSwan] fails to retry after DNS failure

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Mon May 8 10:23:35 CEST 2017

Hello Daniel,

That's not a bug, that's intentional behaviour.
Charon stops trying to initiate or negotiate when a permanent error
is encountered that it can not handle by itself. Use auto=route, if you
need to make sure CHILD_SAs are reinitiated when they're down,
but needed. There's no option to force retrying in any case.

Closeaction only applies to CHILD_SAs getting closed and dpdaction only to dpd timeouts.
So obviously neither applies.

Kind regards,

On 08.05.2017 10:07, Daniel Pocock wrote:
> Hi,
> I've got some of the following in a branch-office configuration on OpenWRT:
> StrongSWAN version 5.3.3
> conn mainoffice
>     left=%defaultroute
>     leftsubnet=,my-ipv6-prefix::/64
>     leftcert=wrt1Cert.der
>     leftid=@wrt1.example.org
>     leftfirewall=yes
>     right=vpn.example.org
>     rightid=@vpn.example.org
>     rightsubnet=my-class-C/24,another-ipv6-prefix::/52
>     auto=start
>     dpdaction=restart
>     closeaction=restart
>     keyingtries=%forever
> With this configuration (dpdaction, closeaction, keyingtries) I would
> expect the branch office to make every effort to reconnect and keep
> trying forever.
> I've observed that if the ISP link goes down (e.g. removing the fibre),
> if the ISP link is not ready when StrongSWAN starts up (e.g. after a
> router reboot) or if the VPN server is restart then the branch office
> fails to reconnect.
> Looking at the logs (logread on OpenWRT) I notice an error about DNS
> failure for "vpn.example.org" and then it would give up.
> I changed the line "right=vpn.example.org" to "right=A.B.C.D" and the
> problem went away.  Now it really keeps retrying.
> I'd like to open a bug report for this but I couldn't log in to the bug
> tracker.
> Regards,
> Daniel
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170508/64b77ab7/attachment.sig>

More information about the Users mailing list