[strongSwan] 24/7/365 tunnel?

Eric Germann ekgermann at semperen.com
Thu Sep 14 12:23:41 CEST 2017


I’ve found auto=route to be much more stable in AWS.  Spins up when it’s down but needed and starts passing traffic.

EKG

> On Sep 14, 2017, at 6:21 AM, Turbo Fredriksson <turbo at bayour.com> wrote:
> 
> I’ve been playing with:
> 
>    type=tunnel
>    auto=start
>    dpdaction=restart
>    dpddelay=2400s
> 
> which never worked. I’ve now changed this to:
> 
>    type=tunnel
>    auto=start
>    dpdaction=restart
>    dpddelay=10
>    dpdtimeout=60
> 
> and so far so good. Although I haven’t waited long enough, so I’m
> going to let it be for the next few days to see if that works in the long
> run.
> 
> Would it help to set ‘auto=route’ instead? Thing is, I need this link to
> be started at boot AND be up 24/7/365 - I have a (bunch of) web apps
> in London that need access to databases in Ireland to work.
> 
> 
> I’m considering setting up DBs in London as well, but that will both
> cost a small fortune AND replication/updates on the DBs will be
> problematic. So I’d prefer a “perfect” link between them...
> 
> 
>> On 13 Sep 2017, at 20:16, Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
>> 
>> Hi,
>> 
>> DPD just checks if the remote peer is still "there" and reachable. It doesn't do anything with the CHILD_SAs.
>> It only helps to keep up the IKE_SA and keep it working (e.g. it wouldn't work anymore if the NAT mapping on an intermediate NAT router
>> would expire). Peers are free to delete CHILD_SAs and IKE_SAs without renegotiating new ones, destroying the tunnel.
>> 
>> Use auto=route (swanctl equivalent is start_action=trap), as advised previously.
>> 
>> Kind regards
>> 
>> Noel
>> 
>> On 13.09.2017 17:38, Michael Schwartzkopff wrote:
>>> Am 13.09.2017 um 17:33 schrieb Eric Germann:
>>>> Usually if it "takes down the tunnel" it's due to no traffic. Keep interesting traffic going and it will stay up.
>>>> 
>>>> If you have the ability to set "auto = route" it will reestablish the tunnel as needed. We run several hundred tunnels this way in AWS without issue.
>>>> 
>>>> EKG
>>>> 
>>>> 
>>>>> On Sep 13, 2017, at 09:21, Turbo Fredriksson <turbo at bayour.com> wrote:
>>>>> 
>>>>> I’m trying to setup a tunnel between two regions in
>>>>> AWS.
>>>>> 
>>>>> Works fine, other than the fact that Strongswan seems to take
>>>>> down the tunnel automatically (?) after a few hours.
>>>>> 
>>>>> How can I 1) make sure there’s no timeout (?) and 2) that IF
>>>>> the tunnel goes down, for whatever reason, that it will reinitiate
>>>>> the connection automatically?
>>>>> 
>>> Dead Peer Detection (DPD) sends packets that keep the tunnel up.
>>> 
>>> 
>>> Michael Schwartzkopff
>>> 
>>> Mit freundlichen Grüßen,
>>> 
>> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170914/25976ecc/attachment.sig>


More information about the Users mailing list