[strongSwan] High latency (satellite) link : what can we improve ?

Hoggins! hoggins at radiom.fr
Fri Oct 27 11:09:48 CEST 2017 

Hello Noel,

I'll try to provide as much as I can. The sat connection and the machine
in question are currently down, they are used like two or three times a
year, and when they are, we "don't have time" to gather statusall
messages and so on, hence the lack of information regarding what we
experienced.
So yeah, the guessing part is quite important, and I'm sorry for that. I
used to work in engineering Support teams, and most of the time we had a
lot of "guessing" work, I know how it feels.

In the first place I was mostly looking for hints that _could explain_
what we experienced, sometimes it's good to wonder a little when we
don't have all the bits.

Our "client" ipsec.conf is :

    conn %default
      ikelifetime=60m
      keylife=20m
      rekeymargin=3m
      keyingtries=%forever
      authby=secret
      keyexchange=ikev2
      mobike=yes
      reauth=no
      ikedscp=101110

    conn net-net
      auto=start
      left=%defaultroute
      leftsubnet=192.168.22.0/24
      leftid=netnetYomama
      leftfirewall=yes
      right=x.x.x.x
      rightsubnet=192.168.55.0/24,192.168.33.0/24,192.168.66.0/24
      closeaction=restart
      dpdaction=restart
      dpddelay=30s
      dpdtimeout=120s


On our "server" (star network concentrator) :

    conn %default
      ikelifetime=60m
      keylife=20m
      rekeymargin=3m
      keyingtries=%forever
      authby=secret
      keyexchange=ikev2
      ikedscp=101110

    conn net-net
      left=51.254.26.13
      leftsubnet=192.168.55.0/24,192.168.33.0/24,192.168.66.0/24
      leftfirewall=yes
      right=%any
      rightsubnet=192.168.22.0/24
      rightid=netnetYomama
      auto=start


I'll do my best to extract some logs.

Thanks !


Le 26/10/2017 à 19:19, Noel Kuntze a écrit :
> Hello,
>
> Hoggins: Please provide the full list of information that is listed on the HelpRequests page. It helps immensely in understanding what the actual problem is.
> In fact, it saves us about 99,9% of the guessing.
>
> Kind regards
>
> Noel
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171027/25a1dcd6/attachment.sig>

More information about the Users mailing list