[strongSwan] Retry after failure

Volodymyr Litovka doka.ua at gmx.com
Sun Oct 11 18:56:59 CEST 2020 

Colleagues,

how to configure strongSwan to continuously try to reconnect in case of
network failure?

My current settings are:

charon {
     close_ike_on_child_failure = yes
     retry_initiate_interval = 30
     retransmit_base = 1.2
     retransmit_limit = 30
     retransmit_timeout = 2
     retransmit_tries = 3
}

and, in case of network failure, strongSwan behaves in the following way
- it tries to reestablish connection 3 times and then finally gives up:

16:34:28 2020 daemon.info : 07[IKE] sending DPD request
16:34:28 2020 daemon.info : 07[ENC] generating INFORMATIONAL request 2 [ N(NATD_S_IP) N(NATD_D_IP) ]
16:34:28 2020 daemon.info : 07[NET] sending packet: from 192.168.2.212[4500] to xx.xx.xx.xx[4500] (113 bytes)
16:34:30 2020 daemon.info : 08[IKE] retransmit 1 of request with message ID 2
16:34:30 2020 daemon.info : 08[NET] sending packet: from 192.168.2.212[4500] to xx.xx.xx.xx[4500] (113 bytes)
16:34:32 2020 daemon.info : 09[IKE] retransmit 2 of request with message ID 2
16:34:32 2020 daemon.info : 09[NET] sending packet: from 192.168.2.212[4500] to xx.xx.xx.xx[4500] (113 bytes)
16:34:35 2020 daemon.info : 10[IKE] retransmit 3 of request with message ID 2
16:34:35 2020 daemon.info : 10[NET] sending packet: from 192.168.2.212[4500] to xx.xx.xx.xx[4500] (113 bytes)
16:34:39 2020 daemon.info : 11[IKE] giving up after 3 retransmits
16:34:39 2020 daemon.info : 11[IKE] restarting CHILD_SA rc
16:34:39 2020 daemon.info : 11[IKE] initiating IKE_SA rc[2] to xx.xx.xx.xx
16:34:39 2020 daemon.info : 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
16:34:39 2020 daemon.info : 11[NET] sending packet: from 192.168.2.212[500] to xx.xx.xx.xx[500] (1084 bytes)
16:34:39 2020 daemon.info : 11[CHD] updown: Processing ''
16:34:41 2020 daemon.info : 13[IKE] retransmit 1 of request with message ID 0
16:34:41 2020 daemon.info : 13[NET] sending packet: from 192.168.2.212[500] to xx.xx.xx.xx[500] (1084 bytes)
16:34:43 2020 daemon.info : 14[IKE] retransmit 2 of request with message ID 0
16:34:43 2020 daemon.info : 14[NET] sending packet: from 192.168.2.212[500] to xx.xx.xx.xx[500] (1084 bytes)
16:34:46 2020 daemon.info : 15[IKE] retransmit 3 of request with message ID 0
16:34:46 2020 daemon.info : 15[NET] sending packet: from 192.168.2.212[500] to xx.xx.xx.xx[500] (1084 bytes)
16:34:49 2020 daemon.info : 16[IKE] giving up after 3 retransmits
16:34:49 2020 daemon.info : 16[IKE] peer not responding, trying again (2/3)
16:34:49 2020 daemon.info : 16[IKE] initiating IKE_SA rc[2] to xx.xx.xx.xx
16:34:49 2020 daemon.info : 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
16:34:49 2020 daemon.info : 16[NET] sending packet: from 192.168.2.212[500] to xx.xx.xx.xx[500] (1084 bytes)
16:34:51 2020 daemon.info : 05[IKE] retransmit 1 of request with message ID 0
16:34:51 2020 daemon.info : 05[NET] sending packet: from 192.168.2.212[500] to xx.xx.xx.xx[500] (1084 bytes)
16:34:54 2020 daemon.info : 08[IKE] retransmit 2 of request with message ID 0
16:34:54 2020 daemon.info : 08[NET] sending packet: from 192.168.2.212[500] to xx.xx.xx.xx[500] (1084 bytes)
16:34:57 2020 daemon.info : 09[IKE] retransmit 3 of request with message ID 0
16:34:57 2020 daemon.info : 09[NET] sending packet: from 192.168.2.212[500] to xx.xx.xx.xx[500] (1084 bytes)
16:35:00 2020 daemon.info : 06[IKE] giving up after 3 retransmits
16:35:00 2020 daemon.info : 06[IKE] peer not responding, trying again (3/3)
16:35:00 2020 daemon.info : 06[IKE] initiating IKE_SA rc[2] to xx.xx.xx.xx
16:35:00 2020 daemon.info : 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
16:35:00 2020 daemon.info : 06[NET] sending packet: from 192.168.2.212[500] to xx.xx.xx.xx[500] (1084 bytes)
16:35:02 2020 daemon.info : 10[IKE] retransmit 1 of request with message ID 0
16:35:02 2020 daemon.info : 10[NET] sending packet: from 192.168.2.212[500] to xx.xx.xx.xx[500] (1084 bytes)
16:35:05 2020 daemon.info : 11[IKE] retransmit 2 of request with message ID 0
16:35:05 2020 daemon.info : 11[NET] sending packet: from 192.168.2.212[500] to xx.xx.xx.xx[500] (1084 bytes)
16:35:07 2020 daemon.info : 13[IKE] retransmit 3 of request with message ID 0
16:35:07 2020 daemon.info : 13[NET] sending packet: from 192.168.2.212[500] to xx.xx.xx.xx[500] (1084 bytes)
16:35:11 2020 daemon.info : 12[IKE] giving up after 3 retransmits
16:35:11 2020 daemon.info : 12[IKE] establishing IKE_SA failed, peer not responding

Is there way to make it try continuously in order to establish
connection as soon as network will be available again?

In case it's essential, my environment is:

- OS: OpenWRT 19.07.3
- strongSwan: 5.8.2 (5.8.2_2)

Thank you.


--
Volodymyr Litovka
   "Vision without Execution is Hallucination." -- Thomas Edison

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201011/a404e6de/attachment.html>

More information about the Users mailing list