[strongSwan] had to manually up a connection
Victor Sudakov
vas at sibptus.ru
Fri Mar 6 03:45:19 CET 2020
Hello Noel,
According to ipsec.conf(5) "auto=start loads a connection and brings it
up immediately." What is the expected behavior of auto=start on
connection *loss* (e.g. peer death is detected by DPD)?
I want Strongswan to reestablish this connection immediately after the
right side becomes alive again, not when there are packets for it.
Noel Kuntze wrote:
> Hello Victor,
>
> You configured it to start, not to try to reinitiate. Use auto=route
> for the latter. It will try to reestablish when there's packets for it
> then though, not immediately.
>
> Kind regards
>
> Noel
>
> Am 05.03.20 um 12:03 schrieb Victor Sudakov:
> > Dear Colleagues,
> >
> > There was a power outage, the Mikrotik router at home was powered off
> > for several hours. Then it was powered on again but there was no IPSec
> > SA from work (Strongswan) to home (Mikrotik).
> >
> > I had to run "ipsec up home" at work to make things work again. Why did
> > the SA not start automatically when the Mikrotik became available again?
> >
> > This is the relevant Strongswan config (yes the Strongswan at work is
> > behind NAT).
> >
> > conn home
> > auto=start
> > authby=secret
> > dpddelay=10s
> > dpdaction=restart
> > esp=aes256-sha1-modp2048
> > ike=aes256-sha1-modp2048
> > ikelifetime=1h
> > lifetime=10m
> > keyexchange=ikev2
> > type=transport
> > left=10.10.10.5
> > right=y.y.y.y
> > leftprotoport=47
> > rightprotoport=47
> >
> >
> >
> >
>
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
More information about the Users
mailing list