[strongSwan] had to manually up a connection

Alex K rightkicktech at gmail.com
Fri Mar 6 07:06:12 CET 2020 

On Fri, Mar 6, 2020, 04:45 Victor Sudakov <vas at sibptus.ru> wrote:

> Hello Noel,
>
> According to ipsec.conf(5) "auto=start loads a connection and brings it
> up immediately." What is the expected behavior of auto=start on
> connection *loss* (e.g. peer death is detected by DPD)?
>
My understanding is that dpdaction=restart should automatically restart the
connection upon dead peer detection and restore it back again when the peer
becomes available.

>
> I want Strongswan to reestablish this connection immediately after the
> right side becomes alive again, not when there are packets for it.
>
>
> Noel Kuntze wrote:
> > Hello Victor,
> >
> > You configured it to start, not to try to reinitiate. Use auto=route
> > for the latter. It will try to reestablish when there's packets for it
> > then though, not immediately.
>
> >
> > Kind regards
> >
> > Noel
> >
> > Am 05.03.20 um 12:03 schrieb Victor Sudakov:
> > > Dear Colleagues,
> > >
> > > There was a power outage, the Mikrotik router at home was powered off
> > > for several hours. Then it was powered on again but there was no IPSec
> > > SA from work (Strongswan) to home (Mikrotik).
> > >
> > > I had to run "ipsec up home" at work to make things work again. Why did
> > > the SA not start automatically when the Mikrotik became available
> again?
> > >
> > > This is the relevant Strongswan config (yes the Strongswan at work is
> > > behind NAT).
> > >
> > > conn home
> > >     auto=start
> > >     authby=secret
> > >     dpddelay=10s
> > >     dpdaction=restart
> > >     esp=aes256-sha1-modp2048
> > >     ike=aes256-sha1-modp2048
> > >     ikelifetime=1h
> > >     lifetime=10m
> > >     keyexchange=ikev2
> > >     type=transport
> > >     left=10.10.10.5
> > >     right=y.y.y.y
> > >     leftprotoport=47
> > >     rightprotoport=47
> > >
> > >
> > >
> > >
> >
>
>
>
>
> --
> Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
> 2:5005/49 at fidonet http://vas.tomsk.ru/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200306/590e11b1/attachment.html>

More information about the Users mailing list