[strongSwan] fails to retry after DNS failure
Daniel Pocock
daniel at pocock.pro
Mon May 8 10:42:45 CEST 2017
On 08/05/17 10:23, Noel Kuntze wrote:
> Hello Daniel,
>
> That's not a bug, that's intentional behaviour.
> Charon stops trying to initiate or negotiate when a permanent error
> is encountered that it can not handle by itself.
Why do you feel it is a permanent error? In a networked environment, a
DNS timeout can sometimes happen.
If the DNS returned some other error (e.g. NXDOMAIN) then I would
consider that a permanent failure. But a timeout (DNS error SERVFAIL)
is not permanent.
> Use auto=route, if you
> need to make sure CHILD_SAs are reinitiated when they're down,
> but needed. There's no option to force retrying in any case.
So if I change "auto=start" to "auto=route", then using
"right=vpn.example.org" will work again?
Note that sometimes I want to make connections from the head office to
the branch office, so I don't want it to wait for a process at the
branch office to send traffic before bringing up the connection.
> Closeaction only applies to CHILD_SAs getting closed and dpdaction only to dpd timeouts.
> So obviously neither applies.
Is it safe to leave these entries in place or do you suggest removing or
changing either of them?
Regards,
Daniel
More information about the Users
mailing list