[strongSwan] 24/7/365 tunnel?
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Sep 13 21:16:11 CEST 2017
Hi,
DPD just checks if the remote peer is still "there" and reachable. It doesn't do anything with the CHILD_SAs.
It only helps to keep up the IKE_SA and keep it working (e.g. it wouldn't work anymore if the NAT mapping on an intermediate NAT router
would expire). Peers are free to delete CHILD_SAs and IKE_SAs without renegotiating new ones, destroying the tunnel.
Use auto=route (swanctl equivalent is start_action=trap), as advised previously.
Kind regards
Noel
On 13.09.2017 17:38, Michael Schwartzkopff wrote:
> Am 13.09.2017 um 17:33 schrieb Eric Germann:
>> Usually if it "takes down the tunnel" it's due to no traffic. Keep interesting traffic going and it will stay up.
>>
>> If you have the ability to set "auto = route" it will reestablish the tunnel as needed. We run several hundred tunnels this way in AWS without issue.
>>
>> EKG
>>
>>
>>> On Sep 13, 2017, at 09:21, Turbo Fredriksson <turbo at bayour.com> wrote:
>>>
>>> I’m trying to setup a tunnel between two regions in
>>> AWS.
>>>
>>> Works fine, other than the fact that Strongswan seems to take
>>> down the tunnel automatically (?) after a few hours.
>>>
>>> How can I 1) make sure there’s no timeout (?) and 2) that IF
>>> the tunnel goes down, for whatever reason, that it will reinitiate
>>> the connection automatically?
>>>
> Dead Peer Detection (DPD) sends packets that keep the tunnel up.
>
>
> Michael Schwartzkopff
>
> Mit freundlichen Grüßen,
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170913/ba26a1e5/attachment-0001.sig>
More information about the Users
mailing list