subject:"\[strongSwan\] 24\/7\/365 tunnel\?"

Re: [strongSwan] 24/7/365 tunnel?

2017-09-14 Thread Turbo Fredriksson

On 14 Sep 2017, at 11:23, Eric Germann  wrote:

> I’ve found auto=route to be much more stable in AWS.  Spins up when it’s down 
> but needed and starts passing traffic.

Ok, thanx! I’ll let it run like this for a couple of days so I get a feel
for how it works and then try that if I have to..

signature.asc
Description: Message signed with OpenPGP

Re: [strongSwan] 24/7/365 tunnel?

2017-09-14 Thread Noel Kuntze


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

You need to use auto=route, otherwise the tunnel will not be established 
(anymore) if it ever gets deleted by one side, a fatal error is encountered or 
it can not
be established in the first place.

On 14.09.2017 12:23, Eric Germann wrote:
> I’ve found auto=route to be much more stable in AWS.  Spins up when it’s down 
> but needed and starts passing traffic. > > EKG > >> On Sep 14, 2017, at 6:21 
> AM, Turbo Fredriksson  wrote: >> >> I’ve been playing with: 
> >> >> type=tunnel >> auto=start >> dpdaction=restart >> dpddelay=2400s >> >> 
> which never worked. I’ve now changed this to: >> >> type=tunnel >> auto=start 
> >> dpdaction=restart >> dpddelay=10 >> dpdtimeout=60 >> >> and so far so 
> good. Although I haven’t waited long enough, so I’m >> going to let it be for 
> the next few days to see if that works in the long >> run. >> >> Would it 
> help to set ‘auto=route’ instead? Thing is, I need this link to >> be started 
> at boot AND be up 24/7/365 - I have a (bunch of) web apps >> in London that 
> need access to databases in Ireland to work. >> >> >> I’m considering setting 
> up DBs in London as well, but that will both >> cost a small fortune AND 
> replication/updates on the DBs will be >> problematic. So I’d prefer a 
> “perfect” link between them... >> >> >>> On 13 Sep 2017, at 20:16, Noel Kuntze
 wrote: >>> >>> Hi, >>> >>> 
DPD just checks if the remote peer is still "there" and reachable. It doesn't 
do anything with the CHILD_SAs. >>> It only helps to keep up the IKE_SA and 
keep it working (e.g. it wouldn't work anymore if the NAT mapping on an 
intermediate NAT router >>> would expire). Peers are free to delete CHILD_SAs 
and IKE_SAs without renegotiating new ones, destroying the tunnel. >>> >>> Use 
auto=route (swanctl equivalent is start_action=trap), as advised previously. 
>>> >>> Kind regards >>> >>> Noel >>> >>> On 13.09.2017 17:38, Michael 
Schwartzkopff wrote:  Am 13.09.2017 um 17:33 schrieb Eric Germann: > 
Usually if it "takes down the tunnel" it's due to no traffic. Keep interesting 
traffic going and it will stay up. > > If you have the ability to set 
"auto = route" it will reestablish the tunnel as needed. We run several hundred 
tunnels this way in AWS without issue. > > EKG > >
>> On Sep 13, 2017, at 09:21, Turbo Fredriksson  wrote: 
>> >> >> I’m trying to setup a tunnel between two regions in >> 
>> AWS. >> >> Works fine, other than the fact that Strongswan seems 
>> to take >> down the tunnel automatically (?) after a few hours. 
>> >> >> How can I 1) make sure there’s no timeout (?) and 2) that 
>> IF >> the tunnel goes down, for whatever reason, that it will 
>> reinitiate >> the connection automatically? >>  Dead Peer 
>> Detection (DPD) sends packets that keep the tunnel up.    
>> Michael Schwartzkopff   Mit freundlichen Grüßen,  >>> >> > 
>> -BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEENSSTvrX3jmMTcq8t9U7kCwc5rWwFAlm6X6cACgkQ9U7kCwc5
rWy5Cg/+P02oFmCJwB9qiREw4DXCRZRCo8HAeC6mlP0P95PfvWy4Lr20LX1SMNhw
PBgm7c7dQHyKjQO/fqGPTB4kbi03Or5lYtyYLc3Y1YDJ79W2OpVTCiHoaznleyW6
elVZyPBhxeZYYWI4FekcgOB9vS+ek8Jbz2FNI+16b7hfHwN3QnkU1X5DH9oVkO+J
aW0ywUwKgNMMxtDEmFvUffBb/uxJ1DOq4XHaNIYNicOQ6wkbc3GMlbVh6Bz7MUbI
RJutqLiZqMy7Da6VPP6Xf+Y1ogvCLPmzqDHCxhwCrw2b3BBgOSpNqMzV+37h5POh
qTFabCd42PC8lNm8BGrEixvVk3GqHkIshaww0bdqrYYdYh3DQHqbBfQsWCS62r8q
iSrccp4CUxSzTp5VEcGT8GFPAXT7lcsovl2iPnAodl9TMiksh9JqzwhIZy0DPiAA
JgB+AwFk8mTZZXmr2WDHQo2cUI8u+ZRuh5mOYSqgBNebOUuFUBA7X/uHuKFwhugg
F1QWG2QFF3CljSjZKY27YpSDh6Hf2IGk+RiKfQbVhpBMF9QjlSyXIc6wbceol9y/
621zjVb5JpNbu7UYslCoUAQkjGFpjPGAtsiqpfPYObTmoA8rSrlbcV0y9+BrXbHV
bGFQi1ktqUC5h2Lio5S0PnIRtrGOKhX23dfbUA0VKUJCqXzP+GI=
=W4nf
-END PGP SIGNATURE-

Re: [strongSwan] 24/7/365 tunnel?

2017-09-14 Thread Eric Germann

I’ve found auto=route to be much more stable in AWS.  Spins up when it’s down 
but needed and starts passing traffic.

EKG

> On Sep 14, 2017, at 6:21 AM, Turbo Fredriksson  wrote:
> 
> I’ve been playing with:
> 
>type=tunnel
>auto=start
>dpdaction=restart
>dpddelay=2400s
> 
> which never worked. I’ve now changed this to:
> 
>type=tunnel
>auto=start
>dpdaction=restart
>dpddelay=10
>dpdtimeout=60
> 
> and so far so good. Although I haven’t waited long enough, so I’m
> going to let it be for the next few days to see if that works in the long
> run.
> 
> Would it help to set ‘auto=route’ instead? Thing is, I need this link to
> be started at boot AND be up 24/7/365 - I have a (bunch of) web apps
> in London that need access to databases in Ireland to work.
> 
> 
> I’m considering setting up DBs in London as well, but that will both
> cost a small fortune AND replication/updates on the DBs will be
> problematic. So I’d prefer a “perfect” link between them...
> 
> 
>> On 13 Sep 2017, at 20:16, Noel Kuntze 
>>  wrote:
>> 
>> Hi,
>> 
>> DPD just checks if the remote peer is still "there" and reachable. It 
>> doesn't do anything with the CHILD_SAs.
>> It only helps to keep up the IKE_SA and keep it working (e.g. it wouldn't 
>> work anymore if the NAT mapping on an intermediate NAT router
>> would expire). Peers are free to delete CHILD_SAs and IKE_SAs without 
>> renegotiating new ones, destroying the tunnel.
>> 
>> Use auto=route (swanctl equivalent is start_action=trap), as advised 
>> previously.
>> 
>> Kind regards
>> 
>> Noel
>> 
>> On 13.09.2017 17:38, Michael Schwartzkopff wrote:
>>> Am 13.09.2017 um 17:33 schrieb Eric Germann:
 Usually if it "takes down the tunnel" it's due to no traffic. Keep 
 interesting traffic going and it will stay up.
 
 If you have the ability to set "auto = route" it will reestablish the 
 tunnel as needed. We run several hundred tunnels this way in AWS without 
 issue.
 
 EKG
 
 
> On Sep 13, 2017, at 09:21, Turbo Fredriksson  wrote:
> 
> I’m trying to setup a tunnel between two regions in
> AWS.
> 
> Works fine, other than the fact that Strongswan seems to take
> down the tunnel automatically (?) after a few hours.
> 
> How can I 1) make sure there’s no timeout (?) and 2) that IF
> the tunnel goes down, for whatever reason, that it will reinitiate
> the connection automatically?
> 
>>> Dead Peer Detection (DPD) sends packets that keep the tunnel up.
>>> 
>>> 
>>> Michael Schwartzkopff
>>> 
>>> Mit freundlichen Grüßen,
>>> 
>> 
> 



signature.asc
Description: Message signed with OpenPGP

Re: [strongSwan] 24/7/365 tunnel?

2017-09-14 Thread Turbo Fredriksson

I’ve been playing with:

type=tunnel
auto=start
dpdaction=restart
dpddelay=2400s

which never worked. I’ve now changed this to:

type=tunnel
auto=start
dpdaction=restart
dpddelay=10
dpdtimeout=60

and so far so good. Although I haven’t waited long enough, so I’m
going to let it be for the next few days to see if that works in the long
run.

Would it help to set ‘auto=route’ instead? Thing is, I need this link to
be started at boot AND be up 24/7/365 - I have a (bunch of) web apps
in London that need access to databases in Ireland to work.

I’m considering setting up DBs in London as well, but that will both
cost a small fortune AND replication/updates on the DBs will be
problematic. So I’d prefer a “perfect” link between them...

> On 13 Sep 2017, at 20:16, Noel Kuntze 
>  wrote:
> 
> Hi,
> 
> DPD just checks if the remote peer is still "there" and reachable. It doesn't 
> do anything with the CHILD_SAs.
> It only helps to keep up the IKE_SA and keep it working (e.g. it wouldn't 
> work anymore if the NAT mapping on an intermediate NAT router
> would expire). Peers are free to delete CHILD_SAs and IKE_SAs without 
> renegotiating new ones, destroying the tunnel.
> 
> Use auto=route (swanctl equivalent is start_action=trap), as advised 
> previously.
> 
> Kind regards
> 
> Noel
> 
> On 13.09.2017 17:38, Michael Schwartzkopff wrote:
>> Am 13.09.2017 um 17:33 schrieb Eric Germann:
>>> Usually if it "takes down the tunnel" it's due to no traffic. Keep 
>>> interesting traffic going and it will stay up.
>>> 
>>> If you have the ability to set "auto = route" it will reestablish the 
>>> tunnel as needed. We run several hundred tunnels this way in AWS without 
>>> issue.
>>> 
>>> EKG
>>> 
>>> 
 On Sep 13, 2017, at 09:21, Turbo Fredriksson  wrote:

 I’m trying to setup a tunnel between two regions in
 AWS.

 Works fine, other than the fact that Strongswan seems to take
 down the tunnel automatically (?) after a few hours.

 How can I 1) make sure there’s no timeout (?) and 2) that IF
 the tunnel goes down, for whatever reason, that it will reinitiate
 the connection automatically?

>> Dead Peer Detection (DPD) sends packets that keep the tunnel up.
>> 
>> 
>> Michael Schwartzkopff
>> 
>> Mit freundlichen Grüßen,
>> 
> 

signature.asc
Description: Message signed with OpenPGP

Re: [strongSwan] 24/7/365 tunnel?

2017-09-13 Thread Noel Kuntze

Hi,

DPD just checks if the remote peer is still "there" and reachable. It doesn't 
do anything with the CHILD_SAs.
It only helps to keep up the IKE_SA and keep it working (e.g. it wouldn't work 
anymore if the NAT mapping on an intermediate NAT router
would expire). Peers are free to delete CHILD_SAs and IKE_SAs without 
renegotiating new ones, destroying the tunnel.

Use auto=route (swanctl equivalent is start_action=trap), as advised previously.

Kind regards

Noel

On 13.09.2017 17:38, Michael Schwartzkopff wrote:
> Am 13.09.2017 um 17:33 schrieb Eric Germann:
>> Usually if it "takes down the tunnel" it's due to no traffic. Keep 
>> interesting traffic going and it will stay up.
>>
>> If you have the ability to set "auto = route" it will reestablish the tunnel 
>> as needed. We run several hundred tunnels this way in AWS without issue.  
>>
>> EKG
>>
>>
>>> On Sep 13, 2017, at 09:21, Turbo Fredriksson  wrote:
>>>
>>> I’m trying to setup a tunnel between two regions in
>>> AWS.
>>>
>>> Works fine, other than the fact that Strongswan seems to take
>>> down the tunnel automatically (?) after a few hours.
>>>
>>> How can I 1) make sure there’s no timeout (?) and 2) that IF
>>> the tunnel goes down, for whatever reason, that it will reinitiate
>>> the connection automatically?
>>>
> Dead Peer Detection (DPD) sends packets that keep the tunnel up.
>
>
> Michael Schwartzkopff
>
> Mit freundlichen Grüßen,
>



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] 24/7/365 tunnel?

2017-09-13 Thread Michael Schwartzkopff

Am 13.09.2017 um 17:33 schrieb Eric Germann:
> Usually if it "takes down the tunnel" it's due to no traffic. Keep 
> interesting traffic going and it will stay up.
>
> If you have the ability to set "auto = route" it will reestablish the tunnel 
> as needed. We run several hundred tunnels this way in AWS without issue.  
>
> EKG
>
>
>> On Sep 13, 2017, at 09:21, Turbo Fredriksson  wrote:
>>
>> I’m trying to setup a tunnel between two regions in
>> AWS.
>>
>> Works fine, other than the fact that Strongswan seems to take
>> down the tunnel automatically (?) after a few hours.
>>
>> How can I 1) make sure there’s no timeout (?) and 2) that IF
>> the tunnel goes down, for whatever reason, that it will reinitiate
>> the connection automatically?
>>
Dead Peer Detection (DPD) sends packets that keep the tunnel up.


Michael Schwartzkopff

Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein




signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] 24/7/365 tunnel?

2017-09-13 Thread Eric Germann

Usually if it "takes down the tunnel" it's due to no traffic. Keep interesting 
traffic going and it will stay up.

If you have the ability to set "auto = route" it will reestablish the tunnel as 
needed. We run several hundred tunnels this way in AWS without issue.  

EKG

> On Sep 13, 2017, at 09:21, Turbo Fredriksson  wrote:
> 
> I’m trying to setup a tunnel between two regions in
> AWS.
> 
> Works fine, other than the fact that Strongswan seems to take
> down the tunnel automatically (?) after a few hours.
> 
> How can I 1) make sure there’s no timeout (?) and 2) that IF
> the tunnel goes down, for whatever reason, that it will reinitiate
> the connection automatically?
> 

smime.p7s
Description: S/MIME cryptographic signature

[strongSwan] 24/7/365 tunnel?

2017-09-13 Thread Turbo Fredriksson

I’m trying to setup a tunnel between two regions in
AWS.

Works fine, other than the fact that Strongswan seems to take
down the tunnel automatically (?) after a few hours.

How can I 1) make sure there’s no timeout (?) and 2) that IF
the tunnel goes down, for whatever reason, that it will reinitiate
the connection automatically?



signature.asc
Description: Message signed with OpenPGP

Re: [strongSwan] 24/7/365 tunnel?

Re: [strongSwan] 24/7/365 tunnel?

Re: [strongSwan] 24/7/365 tunnel?

Re: [strongSwan] 24/7/365 tunnel?

Re: [strongSwan] 24/7/365 tunnel?

Re: [strongSwan] 24/7/365 tunnel?

Re: [strongSwan] 24/7/365 tunnel?

[strongSwan] 24/7/365 tunnel?

8 matches

Site Navigation

Mail list logo

Footer information