[strongSwan] Tunnel stability issues after upgrade from 4.5.2 to 5.5.1
Tom Rymes
trymes at rymes.com
Wed Mar 7 16:35:03 CET 2018
Martin,
I can't help with the more technical portions of your query, but I can confirm that using auto=route has proven to be more reliable than auto=start, as a dropped tunnel seems more likely to be brought back up automatically.
I had asked specifically about that setting a few years ago, and this is the advice I received:
https://lists.strongswan.org/pipermail/users/2015-July/008552.html
Tom
> On Mar 7, 2018, at 1:53 AM, Martijn Grendelman <martijn.grendelman at isaac.nl> wrote:
>
> Hi,
>
> I have been running StrongSwan on Debian Wheezy (with StrongSwan 4.5.2)
> for a long time. We have about 70 ESP tunnels with 19 different
> endpoints, most of them IKEv1. The setup has been rock solid for years,
> with tunnel outages being extremely rare, and almost always the remote
> side's fault.
>
> Last week, I upgraded the system to Debian Stretch (with StrongSwan
> 5.5.1), and since then, a number of tunnels (but not all of them) have
> stability issues. The issue appears to be that CHILD_SA's are not
> established when needed, or they disappear after some time. I haven't
> really discovered a pattern, and I'm a bit overwhelmed by Charon's
> logging output at higher levels. The problems are restricted to IKEv1
> connections, IKEv2 connections seem unaffected. There don't seem to be
> any issues establishing IKE SAs.
>
> Since I didn't make any changes to the configuration in the course of
> the upgrade, I can imagine that my config is not up to the standards of
> version 5. I pasted relevant parts of my config below. Are there things
> that can be improved?
>
> I am sorry I can't be more concrete. I am mostly looking for pointers on
> how to solve the issues.
>
> If I want to know why a CHILD_SA is not established, what logging
> settings should I use? I'd like some pointers to what kind of messages
> to look for, and at what level from which subsystem they would be
> logged. Currently, I have this:
>
> /var/log/charon.log {
> time_format = %b %e %T
> ike_name = yes
> append = yes
> default = 1
> cfg = 4
> net = 0
> flush_line = yes
> }
>
> The problem is, that with 70 tunnels, raising the default log level
> higher than 1 leads to A LOT of logging (GBs / day) which quickly
> becomes hard to digest.
>
> Here are my 'default' config and some config samples for connections
> that suffer from these problems. The example describes two tunnels to
> the same endpoint. Only 'leftsubnet' differs. In total, there are 16
> tunnels to this endpoint, all sharing the same IKE SA. They only differ
> in left- and rightsubnet. Does this make sense?
>
> conn %default
> ikelifetime=8h
> keylife=1h
> rekeymargin=9m
> authby=secret
> keyexchange=ikev2
> mobike=no
> auto=start
> leftfirewall=no
> lefthostaccess=no
> closeaction=restart
> dpdaction=restart
> keyingtries=%forever
>
> conn hq_uk_b4a
> left=<left ip>
> leftsubnet=172.17.1.0/24
> right=<right ip>
> rightsubnet=10.53.13.0/24
> ike=aes256-sha1-modp1024
> esp=aes256-sha1-modp1024
> keyexchange=ikev1
> ikelifetime=8h
>
> conn hq_uk_b4b
> left=<left ip>
> leftsubnet=172.17.5.0/24
> right=<right ip>
> rightsubnet=10.53.13.0/24
> ike=aes256-sha1-modp1024
> esp=aes256-sha1-modp1024
> keyexchange=ikev1
> ikelifetime=8h
>
> Hoping for some useful pointers...
>
> Best regards,
> Martijn Grendelman.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180307/e54bfc15/attachment.html>
More information about the Users
mailing list