[strongSwan] Issues with maintaining IKEv2 tunnels
Dr. Rolf Jansen
strongswan-rj at cyclaero.com
Wed Aug 17 16:36:14 CEST 2022
> Am 17.08.2022 um 10:41 schrieb noel.kuntze+strongswan-users-ml at thermi.consulting:
>
> Hi all,
>
> Dpd and nat keepalive only work on IKE layer, not on the CHILD_SAs that you want.
I didn’t tell in my first post, that I checked the SA dumps on both sides of a nonworking tunnel using „setkey -D“, and I could not identify any obvious difference to a working one. I don’t know, whether I want something working on the CHILD_SAs, since those do think everything is in good shape.
> Use auto=route, then bring up the tunnel manually once. Auto=route makes strongswan install trap policies for the traffic. That should improve reliability.
In the manual: „route loads a connection and installs kernel traps“
This is FreeBSD, not Linux, and I am hesitant to simply assume that some tricks in the Linux kernel would work with FreeBSD as well. Anyway, I can try it.
I guess I need to tell „auto = route“ instead of „= add“ at the IKEv2 central server and leave „auto = start“ as is at the satellites.
> The newest release brought a new value for start_acrion or use with swanctl/vici that enables installing of trap policies and starting of the tunnel when the daemon starts.
At present, this is what „auto = start“ does, and starting-up was never an issue. The issue is maintaining the connection on a 24/7 basis and recovering it, once there was an internet failure outside of my control.
Best regards
Rolf
More information about the Users
mailing list