[strongSwan] Issues with maintaining IKEv2 tunnels

Michael Schwartzkopff ms at sys4.de
Wed Aug 17 14:56:19 CEST 2022 

On 17.08.22 14:50, Dr. Rolf Jansen wrote:
> Hello,
>
> The IKEv2 tunnels are established between device controllers in a remote pilot plant in Spain, which is connected to the internet by a G4 mobile router, and an AWS-EC2 instance in Frankfurt. On both sides strongSwan v5.9.6 is installed and the OS is FreeBSD 13.0-RELEASE. Both sides are behind NAT and receive their local IP via DHCP. For this reason I added on both sides static local alias IPs of another reserved block to the respective network adapter.
>
> Mobile connections are not as stable as wired ones, and quite frequently we suffer connection losses. In the pilot plant are two almost identical device controllers, and both establish its own IPsec tunnel to said EC2. Usually both are down at the same time. This tells me, that origin of the connection loss is external, and out of my control. I want to focus on how to reliably bring them up again, once the connection was lost.


That is exactly why Dead-Peer-Detection was included in IKEv2. Did you 
try using DPD?



> So, I wrote a script which on the remote sites checks the IPsec status of the connection, and calls „ipsec up“, in case it is down. The problem is now, that „ipsec status“ seems to think it is up even if the connection is broken and according to the logs, charon keeps on for hours happily sending keep alive messages to the IP of the AWS-EC2 instance which at the same time does send keep alives as well to its peers and everybody does it over the already broken connections.
>
> I experimented with mobike = YES, but it did not make a difference.
>
>
> Questions:
>
> Is there a more reliable way than „ipsec status“ for knowing whether a IPsec tunnel went down?
>
> I am not 100 % sure, but it seems that „ipsec up“ does not always bring a broken connection up again, should I call something else?
>
> The more drastic solution would be to let the remote site ping the internal alias address of the EC2 and in case the connection is broken, simply call „service strongswan restart“. However, If I need to refrain to this measure, for what reason do we have „ipsec status“ and „ipsec up“ then?
>
> Best regards
>
> Rolf Jansen


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
  
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
  
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

More information about the Users mailing list