[strongSwan] OPNsense - phase 2 SAs being dropped for no apparent reason

[Patrick M. Hausen]

Hi Tobias,

> Am 12.10.2021 um 10:02 schrieb Tobias Brunner <tobias at strongswan.org>:
> 
> Hi Patrick,
> 
>> The phase 1 entries are all set to "start immediately" - these are all 24x7
>> pre-configured connections, though we use IKE, of course, and not manual SPDs.
> 
> If there always is outbound traffic from your side, change the config to something that results in auto=route instead of auto=start, so the tunnel will automatically get (re-)created on matching traffic.  But investigating why it gets closed by the peer in the first place might also be worthwhile (might be some inactivity timeout, which would contradict the "always traffic" claim, or an issue during rekeying - you'll have to analyze the logs).

I hardcoded "closeaction = restart" in the OPNsense script that generates the
phase 2 entries and that seems to have done the trick.

What I don't understand is the reason why "auto = start" does not also imply
"restart whenever the tunnel drops for whatever reason". That seems to be
what the retired commercial product does.

And given the setup - enterprise gateway to gateway connects as a replacement
for dedicated leased lines for cost reasons - I cannot picture any motivation not
to keep all tunnels up 24x7. Even just one initial packet lost or delayed is one
too many.

I'll put the closeaction option into OPNsense and test "auto = route", but I'm still
confused. ;-)

Thanks!
Patrick
-- 
punkt.de GmbH
Patrick M. Hausen
.infrastructure

Kaiserallee 13a
76133 Karlsruhe

Tel. +49 721 9109500

https://infrastructure.punkt.de
info at punkt.de

AG Mannheim 108285
Geschäftsführer: Jürgen Egeling, Daniel Lienert, Fabian Stein