[strongSwan] 24/7/365 tunnel?

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Sep 13 21:16:11 CEST 2017


DPD just checks if the remote peer is still "there" and reachable. It doesn't do anything with the CHILD_SAs.
It only helps to keep up the IKE_SA and keep it working (e.g. it wouldn't work anymore if the NAT mapping on an intermediate NAT router
would expire). Peers are free to delete CHILD_SAs and IKE_SAs without renegotiating new ones, destroying the tunnel.

Use auto=route (swanctl equivalent is start_action=trap), as advised previously.

Kind regards


On 13.09.2017 17:38, Michael Schwartzkopff wrote:
> Am 13.09.2017 um 17:33 schrieb Eric Germann:
>> Usually if it "takes down the tunnel" it's due to no traffic. Keep interesting traffic going and it will stay up.
>> If you have the ability to set "auto = route" it will reestablish the tunnel as needed. We run several hundred tunnels this way in AWS without issue.  
>> EKG
>>> On Sep 13, 2017, at 09:21, Turbo Fredriksson <turbo at bayour.com> wrote:
>>> I’m trying to setup a tunnel between two regions in
>>> AWS.
>>> Works fine, other than the fact that Strongswan seems to take
>>> down the tunnel automatically (?) after a few hours.
>>> How can I 1) make sure there’s no timeout (?) and 2) that IF
>>> the tunnel goes down, for whatever reason, that it will reinitiate
>>> the connection automatically?
> Dead Peer Detection (DPD) sends packets that keep the tunnel up.
> Michael Schwartzkopff
> Mit freundlichen Grüßen,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170913/ba26a1e5/attachment-0001.sig>

More information about the Users mailing list