[strongSwan] Issues with maintaining IKEv2 tunnels

noel.kuntze+strongswan-users-ml at thermi.consulting noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Aug 17 17:11:16 CEST 2022 

Hi all,

Regarding traps:
All supported OS can do that. It's not special.
Auto=start does not install these traps.
If the tunnel is terminated you will not have any policies. Not even traps. The point of traps is to cause reestablishment of the SAs if there are none but there is traffic to be transported.

Kind regards
Noel


Am 17. August 2022 14:36:14 UTC schrieb "Dr. Rolf Jansen" <strongswan-rj at cyclaero.com>:
>> Am 17.08.2022 um 10:41 schrieb noel.kuntze+strongswan-users-ml at thermi.consulting:
>> 
>> Hi all,
>> 
>> Dpd and nat keepalive only work on IKE layer, not on the CHILD_SAs that you want.
>
>I didn’t tell in my first post, that I checked the SA dumps on both sides of a nonworking tunnel using „setkey -D“, and I could not identify any obvious difference to a working one. I don’t know, whether I want something working on the CHILD_SAs, since those do think everything is in good shape.
>
>> Use auto=route, then bring up the tunnel manually once. Auto=route makes strongswan install trap policies for the traffic. That should improve reliability.
>
>In the manual: „route loads a connection and installs kernel traps“
>
>This is FreeBSD, not Linux, and I am hesitant to simply assume that some tricks in the Linux kernel would work with FreeBSD as well. Anyway, I can try it.
>
>I guess I need to tell „auto = route“ instead of „= add“ at the IKEv2 central server and leave „auto = start“ as is at the satellites.
>
>> The newest release brought a new value for start_acrion or use with swanctl/vici that enables installing of trap policies and starting of the tunnel when the daemon starts.
>
>At present, this is what „auto = start“ does, and starting-up was never an issue. The issue is maintaining the connection on a 24/7 basis and recovering it, once there was an internet failure outside of my control.
>
>Best regards
>
>Rolf
Sent from mobile
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220817/d4fce58b/attachment-0001.html>

More information about the Users mailing list