Re: [strongSwan] Retry after failure
keyingtries
Am October 11, 2020 4:56:59 PM UTC schrieb Volodymyr Litovka :
>Colleagues,
>
>how to configure strongSwan to continuously try to reconnect in case of
>network failure?
>
>My current settings are:
>
>charon {
> close_ike_on_child_failure = yes
> retry_initiate_interval = 30
> retransmit_base = 1.2
> retransmit_limit = 30
> retransmit_timeout = 2
> retransmit_tries = 3
>}
>
>and, in case of network failure, strongSwan behaves in the following
>way
>- it tries to reestablish connection 3 times and then finally gives up:
>
>16:34:28 2020 daemon.info : 07[IKE] sending DPD request
>16:34:28 2020 daemon.info : 07[ENC] generating INFORMATIONAL request 2
>[ N(NATD_S_IP) N(NATD_D_IP) ]
>16:34:28 2020 daemon.info : 07[NET] sending packet: from
>192.168.2.212[4500] to xx.xx.xx.xx[4500] (113 bytes)
>16:34:30 2020 daemon.info : 08[IKE] retransmit 1 of request with
>message ID 2
>16:34:30 2020 daemon.info : 08[NET] sending packet: from
>192.168.2.212[4500] to xx.xx.xx.xx[4500] (113 bytes)
>16:34:32 2020 daemon.info : 09[IKE] retransmit 2 of request with
>message ID 2
>16:34:32 2020 daemon.info : 09[NET] sending packet: from
>192.168.2.212[4500] to xx.xx.xx.xx[4500] (113 bytes)
>16:34:35 2020 daemon.info : 10[IKE] retransmit 3 of request with
>message ID 2
>16:34:35 2020 daemon.info : 10[NET] sending packet: from
>192.168.2.212[4500] to xx.xx.xx.xx[4500] (113 bytes)
>16:34:39 2020 daemon.info : 11[IKE] giving up after 3 retransmits
>16:34:39 2020 daemon.info : 11[IKE] restarting CHILD_SA rc
>16:34:39 2020 daemon.info : 11[IKE] initiating IKE_SA rc[2] to
>xx.xx.xx.xx
>16:34:39 2020 daemon.info : 11[ENC] generating IKE_SA_INIT request 0 [
>SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP)
>]
>16:34:39 2020 daemon.info : 11[NET] sending packet: from
>192.168.2.212[500] to xx.xx.xx.xx[500] (1084 bytes)
>16:34:39 2020 daemon.info : 11[CHD] updown: Processing ''
>16:34:41 2020 daemon.info : 13[IKE] retransmit 1 of request with
>message ID 0
>16:34:41 2020 daemon.info : 13[NET] sending packet: from
>192.168.2.212[500] to xx.xx.xx.xx[500] (1084 bytes)
>16:34:43 2020 daemon.info : 14[IKE] retransmit 2 of request with
>message ID 0
>16:34:43 2020 daemon.info : 14[NET] sending packet: from
>192.168.2.212[500] to xx.xx.xx.xx[500] (1084 bytes)
>16:34:46 2020 daemon.info : 15[IKE] retransmit 3 of request with
>message ID 0
>16:34:46 2020 daemon.info : 15[NET] sending packet: from
>192.168.2.212[500] to xx.xx.xx.xx[500] (1084 bytes)
>16:34:49 2020 daemon.info : 16[IKE] giving up after 3 retransmits
>16:34:49 2020 daemon.info : 16[IKE] peer not responding, trying again
>(2/3)
>16:34:49 2020 daemon.info : 16[IKE] initiating IKE_SA rc[2] to
>xx.xx.xx.xx
>16:34:49 2020 daemon.info : 16[ENC] generating IKE_SA_INIT request 0 [
>SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP)
>]
>16:34:49 2020 daemon.info : 16[NET] sending packet: from
>192.168.2.212[500] to xx.xx.xx.xx[500] (1084 bytes)
>16:34:51 2020 daemon.info : 05[IKE] retransmit 1 of request with
>message ID 0
>16:34:51 2020 daemon.info : 05[NET] sending packet: from
>192.168.2.212[500] to xx.xx.xx.xx[500] (1084 bytes)
>16:34:54 2020 daemon.info : 08[IKE] retransmit 2 of request with
>message ID 0
>16:34:54 2020 daemon.info : 08[NET] sending packet: from
>192.168.2.212[500] to xx.xx.xx.xx[500] (1084 bytes)
>16:34:57 2020 daemon.info : 09[IKE] retransmit 3 of request with
>message ID 0
>16:34:57 2020 daemon.info : 09[NET] sending packet: from
>192.168.2.212[500] to xx.xx.xx.xx[500] (1084 bytes)
>16:35:00 2020 daemon.info : 06[IKE] giving up after 3 retransmits
>16:35:00 2020 daemon.info : 06[IKE] peer not responding, trying again
>(3/3)
>16:35:00 2020 daemon.info : 06[IKE] initiating IKE_SA rc[2] to
>xx.xx.xx.xx
>16:35:00 2020 daemon.info : 06[ENC] generating IKE_SA_INIT request 0 [
>SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP)
>]
>16:35:00 2020 daemon.info : 06[NET] sending packet: from
>192.168.2.212[500] to xx.xx.xx.xx[500] (1084 bytes)
>16:35:02 2020 daemon.info : 10[IKE] retransmit 1 of request with
>message ID 0
>16:35:02 2020 daemon.info : 10[NET] sending packet: from
>192.168.2.212[500] to xx.xx.xx.xx[500] (1084 bytes)
>16:35:05 2020 daemon.info : 11[IKE] retransmit 2 of request with
>message ID 0
>16:35:05 2020 daemon.info : 11[NET] sending packet: from
>192.168.2.212[500] to xx.xx.xx.xx[500] (1084 bytes)
>16:35:07 2020 daemon.info : 13[IKE] retransmit 3 of request with
>message ID 0
>16:35:07 2020 daemon.info : 13[NET] sending packet: from
>192.168.2.212[500] to xx.xx.xx.xx[500] (1084 bytes)
>16:35:11 2020 daemon.info : 12[IKE] giving up after 3 retransmits
>16:35:11 2020 daemon.info : 12[IKE] establishing IKE_SA failed, peer
>not responding
>
>Is there way to make it try continuously in order to establish
>connection as soon as network will be available again?
>
>In case it's essential, my environment is:
>
>- OS: OpenWRT 19.07.3
>- strongSwan: 5.8.2 (5.8.2_2)
>
[strongSwan] Retry after failure
Colleagues,
how to configure strongSwan to continuously try to reconnect in case of
network failure?
My current settings are:
charon {
close_ike_on_child_failure = yes
retry_initiate_interval = 30
retransmit_base = 1.2
retransmit_limit = 30
retransmit_timeout = 2
retransmit_tries = 3
}
and, in case of network failure, strongSwan behaves in the following way
- it tries to reestablish connection 3 times and then finally gives up:
16:34:28 2020 daemon.info : 07[IKE] sending DPD request
16:34:28 2020 daemon.info : 07[ENC] generating INFORMATIONAL request 2 [
N(NATD_S_IP) N(NATD_D_IP) ]
16:34:28 2020 daemon.info : 07[NET] sending packet: from 192.168.2.212[4500] to
xx.xx.xx.xx[4500] (113 bytes)
16:34:30 2020 daemon.info : 08[IKE] retransmit 1 of request with message ID 2
16:34:30 2020 daemon.info : 08[NET] sending packet: from 192.168.2.212[4500] to
xx.xx.xx.xx[4500] (113 bytes)
16:34:32 2020 daemon.info : 09[IKE] retransmit 2 of request with message ID 2
16:34:32 2020 daemon.info : 09[NET] sending packet: from 192.168.2.212[4500] to
xx.xx.xx.xx[4500] (113 bytes)
16:34:35 2020 daemon.info : 10[IKE] retransmit 3 of request with message ID 2
16:34:35 2020 daemon.info : 10[NET] sending packet: from 192.168.2.212[4500] to
xx.xx.xx.xx[4500] (113 bytes)
16:34:39 2020 daemon.info : 11[IKE] giving up after 3 retransmits
16:34:39 2020 daemon.info : 11[IKE] restarting CHILD_SA rc
16:34:39 2020 daemon.info : 11[IKE] initiating IKE_SA rc[2] to xx.xx.xx.xx
16:34:39 2020 daemon.info : 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
16:34:39 2020 daemon.info : 11[NET] sending packet: from 192.168.2.212[500] to
xx.xx.xx.xx[500] (1084 bytes)
16:34:39 2020 daemon.info : 11[CHD] updown: Processing ''
16:34:41 2020 daemon.info : 13[IKE] retransmit 1 of request with message ID 0
16:34:41 2020 daemon.info : 13[NET] sending packet: from 192.168.2.212[500] to
xx.xx.xx.xx[500] (1084 bytes)
16:34:43 2020 daemon.info : 14[IKE] retransmit 2 of request with message ID 0
16:34:43 2020 daemon.info : 14[NET] sending packet: from 192.168.2.212[500] to
xx.xx.xx.xx[500] (1084 bytes)
16:34:46 2020 daemon.info : 15[IKE] retransmit 3 of request with message ID 0
16:34:46 2020 daemon.info : 15[NET] sending packet: from 192.168.2.212[500] to
xx.xx.xx.xx[500] (1084 bytes)
16:34:49 2020 daemon.info : 16[IKE] giving up after 3 retransmits
16:34:49 2020 daemon.info : 16[IKE] peer not responding, trying again (2/3)
16:34:49 2020 daemon.info : 16[IKE] initiating IKE_SA rc[2] to xx.xx.xx.xx
16:34:49 2020 daemon.info : 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
16:34:49 2020 daemon.info : 16[NET] sending packet: from 192.168.2.212[500] to
xx.xx.xx.xx[500] (1084 bytes)
16:34:51 2020 daemon.info : 05[IKE] retransmit 1 of request with message ID 0
16:34:51 2020 daemon.info : 05[NET] sending packet: from 192.168.2.212[500] to
xx.xx.xx.xx[500] (1084 bytes)
16:34:54 2020 daemon.info : 08[IKE] retransmit 2 of request with message ID 0
16:34:54 2020 daemon.info : 08[NET] sending packet: from 192.168.2.212[500] to
xx.xx.xx.xx[500] (1084 bytes)
16:34:57 2020 daemon.info : 09[IKE] retransmit 3 of request with message ID 0
16:34:57 2020 daemon.info : 09[NET] sending packet: from 192.168.2.212[500] to
xx.xx.xx.xx[500] (1084 bytes)
16:35:00 2020 daemon.info : 06[IKE] giving up after 3 retransmits
16:35:00 2020 daemon.info : 06[IKE] peer not responding, trying again (3/3)
16:35:00 2020 daemon.info : 06[IKE] initiating IKE_SA rc[2] to xx.xx.xx.xx
16:35:00 2020 daemon.info : 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
16:35:00 2020 daemon.info : 06[NET] sending packet: from 192.168.2.212[500] to
xx.xx.xx.xx[500] (1084 bytes)
16:35:02 2020 daemon.info : 10[IKE] retransmit 1 of request with message ID 0
16:35:02 2020 daemon.info : 10[NET] sending packet: from 192.168.2.212[500] to
xx.xx.xx.xx[500] (1084 bytes)
16:35:05 2020 daemon.info : 11[IKE] retransmit 2 of request with message ID 0
16:35:05 2020 daemon.info : 11[NET] sending packet: from 192.168.2.212[500] to
xx.xx.xx.xx[500] (1084 bytes)
16:35:07 2020 daemon.info : 13[IKE] retransmit 3 of request with message ID 0
16:35:07 2020 daemon.info : 13[NET] sending packet: from 192.168.2.212[500] to
xx.xx.xx.xx[500] (1084 bytes)
16:35:11 2020 daemon.info : 12[IKE] giving up after 3 retransmits
16:35:11 2020 daemon.info : 12[IKE] establishing IKE_SA failed, peer not
responding
Is there way to make it try continuously in order to establish
connection as soon as network will be available again?
In case it's essential, my environment is:
- OS: OpenWRT 19.07.3
- strongSwan: 5.8.2 (5.8.2_2)
Thank you.
--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison
