[strongSwan] fails to retry after DNS failure

Daniel Pocock daniel at pocock.pro
Mon May 8 12:08:55 CEST 2017


On 08/05/17 10:42, Daniel Pocock wrote:
> On 08/05/17 10:23, Noel Kuntze wrote:
>> Hello Daniel,
>>
>> That's not a bug, that's intentional behaviour.
>> Charon stops trying to initiate or negotiate when a permanent error
>> is encountered that it can not handle by itself.
> Why do you feel it is a permanent error?  In a networked environment, a
> DNS timeout can sometimes happen.
>
> If the DNS returned some other error (e.g. NXDOMAIN) then I would
> consider that a permanent failure.  But a timeout (DNS error SERVFAIL)
> is not permanent.
>
>
>>  Use auto=route, if you
>> need to make sure CHILD_SAs are reinitiated when they're down,
>> but needed. There's no option to force retrying in any case.
> So if I change "auto=start" to "auto=route", then using
> "right=vpn.example.org" will work again?
>
> Note that sometimes I want to make connections from the head office to
> the branch office, so I don't want it to wait for a process at the
> branch office to send traffic before bringing up the connection.
>
>> Closeaction only applies to CHILD_SAs getting closed and dpdaction only to dpd timeouts.
>> So obviously neither applies.
> Is it safe to leave these entries in place or do you suggest removing or
> changing either of them?


I also put my comments about this in the bug tracker now
https://wiki.strongswan.org/issues/2319





More information about the Users mailing list