[strongSwan] 24/7/365 tunnel?

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Sep 14 12:53:28 CEST 2017


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

You need to use auto=route, otherwise the tunnel will not be established (anymore) if it ever gets deleted by one side, a fatal error is encountered or it can not
be established in the first place.

On 14.09.2017 12:23, Eric Germann wrote:
> I’ve found auto=route to be much more stable in AWS.  Spins up when it’s down but needed and starts passing traffic. > > EKG > >> On Sep 14, 2017, at 6:21 AM, Turbo Fredriksson <turbo at bayour.com> wrote: >> >> I’ve been playing with: >> >> type=tunnel >> auto=start >> dpdaction=restart >> dpddelay=2400s >> >> which never worked. I’ve now changed this to: >> >> type=tunnel >> auto=start >> dpdaction=restart >> dpddelay=10 >> dpdtimeout=60 >> >> and so far so good. Although I haven’t waited long enough, so I’m >> going to let it be for the next few days to see if that works in the long >> run. >> >> Would it help to set ‘auto=route’ instead? Thing is, I need this link to >> be started at boot AND be up 24/7/365 - I have a (bunch of) web apps >> in London that need access to databases in Ireland to work. >> >> >> I’m considering setting up DBs in London as well, but that will both >> cost a small fortune AND replication/updates on the DBs will be >> problematic. So I’d prefer a “perfect” link between them... >> >> >>> On 13 Sep 2017, at 20:16, Noel Kuntze
<noel.kuntze+strongswan-users-ml at thermi.consulting> wrote: >>> >>> Hi, >>> >>> DPD just checks if the remote peer is still "there" and reachable. It doesn't do anything with the CHILD_SAs. >>> It only helps to keep up the IKE_SA and keep it working (e.g. it wouldn't work anymore if the NAT mapping on an intermediate NAT router >>> would expire). Peers are free to delete CHILD_SAs and IKE_SAs without renegotiating new ones, destroying the tunnel. >>> >>> Use auto=route (swanctl equivalent is start_action=trap), as advised previously. >>> >>> Kind regards >>> >>> Noel >>> >>> On 13.09.2017 17:38, Michael Schwartzkopff wrote: >>>> Am 13.09.2017 um 17:33 schrieb Eric Germann: >>>>> Usually if it "takes down the tunnel" it's due to no traffic. Keep interesting traffic going and it will stay up. >>>>> >>>>> If you have the ability to set "auto = route" it will reestablish the tunnel as needed. We run several hundred tunnels this way in AWS without issue. >>>>> >>>>> EKG >>>>> >>>>>
>>>>>> On Sep 13, 2017, at 09:21, Turbo Fredriksson <turbo at bayour.com> wrote: >>>>>> >>>>>> I’m trying to setup a tunnel between two regions in >>>>>> AWS. >>>>>> >>>>>> Works fine, other than the fact that Strongswan seems to take >>>>>> down the tunnel automatically (?) after a few hours. >>>>>> >>>>>> How can I 1) make sure there’s no timeout (?) and 2) that IF >>>>>> the tunnel goes down, for whatever reason, that it will reinitiate >>>>>> the connection automatically? >>>>>> >>>> Dead Peer Detection (DPD) sends packets that keep the tunnel up. >>>> >>>> >>>> Michael Schwartzkopff >>>> >>>> Mit freundlichen Grüßen, >>>> >>> >> > -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEENSSTvrX3jmMTcq8t9U7kCwc5rWwFAlm6X6cACgkQ9U7kCwc5
rWy5Cg/+P02oFmCJwB9qiREw4DXCRZRCo8HAeC6mlP0P95PfvWy4Lr20LX1SMNhw
PBgm7c7dQHyKjQO/fqGPTB4kbi03Or5lYtyYLc3Y1YDJ79W2OpVTCiHoaznleyW6
elVZyPBhxeZYYWI4FekcgOB9vS+ek8Jbz2FNI+16b7hfHwN3QnkU1X5DH9oVkO+J
aW0ywUwKgNMMxtDEmFvUffBb/uxJ1DOq4XHaNIYNicOQ6wkbc3GMlbVh6Bz7MUbI
RJutqLiZqMy7Da6VPP6Xf+Y1ogvCLPmzqDHCxhwCrw2b3BBgOSpNqMzV+37h5POh
qTFabCd42PC8lNm8BGrEixvVk3GqHkIshaww0bdqrYYdYh3DQHqbBfQsWCS62r8q
iSrccp4CUxSzTp5VEcGT8GFPAXT7lcsovl2iPnAodl9TMiksh9JqzwhIZy0DPiAA
JgB+AwFk8mTZZXmr2WDHQo2cUI8u+ZRuh5mOYSqgBNebOUuFUBA7X/uHuKFwhugg
F1QWG2QFF3CljSjZKY27YpSDh6Hf2IGk+RiKfQbVhpBMF9QjlSyXIc6wbceol9y/
621zjVb5JpNbu7UYslCoUAQkjGFpjPGAtsiqpfPYObTmoA8rSrlbcV0y9+BrXbHV
bGFQi1ktqUC5h2Lio5S0PnIRtrGOKhX23dfbUA0VKUJCqXzP+GI=
=W4nf
-----END PGP SIGNATURE-----




More information about the Users mailing list