Re: [strongSwan] 24/7/365 tunnel?
On 14 Sep 2017, at 11:23, Eric Germann wrote: > I’ve found auto=route to be much more stable in AWS. Spins up when it’s down > but needed and starts passing traffic. Ok, thanx! I’ll let it run like this for a couple of days so I get a feel for how it works and then try that if I have to.. signature.asc Description: Message signed with OpenPGP
Re: [strongSwan] 24/7/365 tunnel?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 You need to use auto=route, otherwise the tunnel will not be established (anymore) if it ever gets deleted by one side, a fatal error is encountered or it can not be established in the first place. On 14.09.2017 12:23, Eric Germann wrote: > I’ve found auto=route to be much more stable in AWS. Spins up when it’s down > but needed and starts passing traffic. > > EKG > >> On Sep 14, 2017, at 6:21 > AM, Turbo Fredriksson wrote: >> >> I’ve been playing with: > >> >> type=tunnel >> auto=start >> dpdaction=restart >> dpddelay=2400s >> >> > which never worked. I’ve now changed this to: >> >> type=tunnel >> auto=start > >> dpdaction=restart >> dpddelay=10 >> dpdtimeout=60 >> >> and so far so > good. Although I haven’t waited long enough, so I’m >> going to let it be for > the next few days to see if that works in the long >> run. >> >> Would it > help to set ‘auto=route’ instead? Thing is, I need this link to >> be started > at boot AND be up 24/7/365 - I have a (bunch of) web apps >> in London that > need access to databases in Ireland to work. >> >> >> I’m considering setting > up DBs in London as well, but that will both >> cost a small fortune AND > replication/updates on the DBs will be >> problematic. So I’d prefer a > “perfect” link between them... >> >> >>> On 13 Sep 2017, at 20:16, Noel Kuntze wrote: >>> >>> Hi, >>> >>> DPD just checks if the remote peer is still "there" and reachable. It doesn't do anything with the CHILD_SAs. >>> It only helps to keep up the IKE_SA and keep it working (e.g. it wouldn't work anymore if the NAT mapping on an intermediate NAT router >>> would expire). Peers are free to delete CHILD_SAs and IKE_SAs without renegotiating new ones, destroying the tunnel. >>> >>> Use auto=route (swanctl equivalent is start_action=trap), as advised previously. >>> >>> Kind regards >>> >>> Noel >>> >>> On 13.09.2017 17:38, Michael Schwartzkopff wrote: Am 13.09.2017 um 17:33 schrieb Eric Germann: > Usually if it "takes down the tunnel" it's due to no traffic. Keep interesting traffic going and it will stay up. > > If you have the ability to set "auto = route" it will reestablish the tunnel as needed. We run several hundred tunnels this way in AWS without issue. > > EKG > > >> On Sep 13, 2017, at 09:21, Turbo Fredriksson wrote: >> >> >> I’m trying to setup a tunnel between two regions in >> >> AWS. >> >> Works fine, other than the fact that Strongswan seems >> to take >> down the tunnel automatically (?) after a few hours. >> >> >> How can I 1) make sure there’s no timeout (?) and 2) that >> IF >> the tunnel goes down, for whatever reason, that it will >> reinitiate >> the connection automatically? >> Dead Peer >> Detection (DPD) sends packets that keep the tunnel up. >> Michael Schwartzkopff Mit freundlichen Grüßen, >>> >> > >> -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEENSSTvrX3jmMTcq8t9U7kCwc5rWwFAlm6X6cACgkQ9U7kCwc5 rWy5Cg/+P02oFmCJwB9qiREw4DXCRZRCo8HAeC6mlP0P95PfvWy4Lr20LX1SMNhw PBgm7c7dQHyKjQO/fqGPTB4kbi03Or5lYtyYLc3Y1YDJ79W2OpVTCiHoaznleyW6 elVZyPBhxeZYYWI4FekcgOB9vS+ek8Jbz2FNI+16b7hfHwN3QnkU1X5DH9oVkO+J aW0ywUwKgNMMxtDEmFvUffBb/uxJ1DOq4XHaNIYNicOQ6wkbc3GMlbVh6Bz7MUbI RJutqLiZqMy7Da6VPP6Xf+Y1ogvCLPmzqDHCxhwCrw2b3BBgOSpNqMzV+37h5POh qTFabCd42PC8lNm8BGrEixvVk3GqHkIshaww0bdqrYYdYh3DQHqbBfQsWCS62r8q iSrccp4CUxSzTp5VEcGT8GFPAXT7lcsovl2iPnAodl9TMiksh9JqzwhIZy0DPiAA JgB+AwFk8mTZZXmr2WDHQo2cUI8u+ZRuh5mOYSqgBNebOUuFUBA7X/uHuKFwhugg F1QWG2QFF3CljSjZKY27YpSDh6Hf2IGk+RiKfQbVhpBMF9QjlSyXIc6wbceol9y/ 621zjVb5JpNbu7UYslCoUAQkjGFpjPGAtsiqpfPYObTmoA8rSrlbcV0y9+BrXbHV bGFQi1ktqUC5h2Lio5S0PnIRtrGOKhX23dfbUA0VKUJCqXzP+GI= =W4nf -END PGP SIGNATURE-
Re: [strongSwan] 24/7/365 tunnel?
I’ve found auto=route to be much more stable in AWS. Spins up when it’s down but needed and starts passing traffic. EKG > On Sep 14, 2017, at 6:21 AM, Turbo Fredriksson wrote: > > I’ve been playing with: > >type=tunnel >auto=start >dpdaction=restart >dpddelay=2400s > > which never worked. I’ve now changed this to: > >type=tunnel >auto=start >dpdaction=restart >dpddelay=10 >dpdtimeout=60 > > and so far so good. Although I haven’t waited long enough, so I’m > going to let it be for the next few days to see if that works in the long > run. > > Would it help to set ‘auto=route’ instead? Thing is, I need this link to > be started at boot AND be up 24/7/365 - I have a (bunch of) web apps > in London that need access to databases in Ireland to work. > > > I’m considering setting up DBs in London as well, but that will both > cost a small fortune AND replication/updates on the DBs will be > problematic. So I’d prefer a “perfect” link between them... > > >> On 13 Sep 2017, at 20:16, Noel Kuntze >> wrote: >> >> Hi, >> >> DPD just checks if the remote peer is still "there" and reachable. It >> doesn't do anything with the CHILD_SAs. >> It only helps to keep up the IKE_SA and keep it working (e.g. it wouldn't >> work anymore if the NAT mapping on an intermediate NAT router >> would expire). Peers are free to delete CHILD_SAs and IKE_SAs without >> renegotiating new ones, destroying the tunnel. >> >> Use auto=route (swanctl equivalent is start_action=trap), as advised >> previously. >> >> Kind regards >> >> Noel >> >> On 13.09.2017 17:38, Michael Schwartzkopff wrote: >>> Am 13.09.2017 um 17:33 schrieb Eric Germann: Usually if it "takes down the tunnel" it's due to no traffic. Keep interesting traffic going and it will stay up. If you have the ability to set "auto = route" it will reestablish the tunnel as needed. We run several hundred tunnels this way in AWS without issue. EKG > On Sep 13, 2017, at 09:21, Turbo Fredriksson wrote: > > I’m trying to setup a tunnel between two regions in > AWS. > > Works fine, other than the fact that Strongswan seems to take > down the tunnel automatically (?) after a few hours. > > How can I 1) make sure there’s no timeout (?) and 2) that IF > the tunnel goes down, for whatever reason, that it will reinitiate > the connection automatically? > >>> Dead Peer Detection (DPD) sends packets that keep the tunnel up. >>> >>> >>> Michael Schwartzkopff >>> >>> Mit freundlichen Grüßen, >>> >> > signature.asc Description: Message signed with OpenPGP
Re: [strongSwan] 24/7/365 tunnel?
I’ve been playing with: type=tunnel auto=start dpdaction=restart dpddelay=2400s which never worked. I’ve now changed this to: type=tunnel auto=start dpdaction=restart dpddelay=10 dpdtimeout=60 and so far so good. Although I haven’t waited long enough, so I’m going to let it be for the next few days to see if that works in the long run. Would it help to set ‘auto=route’ instead? Thing is, I need this link to be started at boot AND be up 24/7/365 - I have a (bunch of) web apps in London that need access to databases in Ireland to work. I’m considering setting up DBs in London as well, but that will both cost a small fortune AND replication/updates on the DBs will be problematic. So I’d prefer a “perfect” link between them... > On 13 Sep 2017, at 20:16, Noel Kuntze > wrote: > > Hi, > > DPD just checks if the remote peer is still "there" and reachable. It doesn't > do anything with the CHILD_SAs. > It only helps to keep up the IKE_SA and keep it working (e.g. it wouldn't > work anymore if the NAT mapping on an intermediate NAT router > would expire). Peers are free to delete CHILD_SAs and IKE_SAs without > renegotiating new ones, destroying the tunnel. > > Use auto=route (swanctl equivalent is start_action=trap), as advised > previously. > > Kind regards > > Noel > > On 13.09.2017 17:38, Michael Schwartzkopff wrote: >> Am 13.09.2017 um 17:33 schrieb Eric Germann: >>> Usually if it "takes down the tunnel" it's due to no traffic. Keep >>> interesting traffic going and it will stay up. >>> >>> If you have the ability to set "auto = route" it will reestablish the >>> tunnel as needed. We run several hundred tunnels this way in AWS without >>> issue. >>> >>> EKG >>> >>> On Sep 13, 2017, at 09:21, Turbo Fredriksson wrote: I’m trying to setup a tunnel between two regions in AWS. Works fine, other than the fact that Strongswan seems to take down the tunnel automatically (?) after a few hours. How can I 1) make sure there’s no timeout (?) and 2) that IF the tunnel goes down, for whatever reason, that it will reinitiate the connection automatically? >> Dead Peer Detection (DPD) sends packets that keep the tunnel up. >> >> >> Michael Schwartzkopff >> >> Mit freundlichen Grüßen, >> > signature.asc Description: Message signed with OpenPGP
Re: [strongSwan] 24/7/365 tunnel?
Hi, DPD just checks if the remote peer is still "there" and reachable. It doesn't do anything with the CHILD_SAs. It only helps to keep up the IKE_SA and keep it working (e.g. it wouldn't work anymore if the NAT mapping on an intermediate NAT router would expire). Peers are free to delete CHILD_SAs and IKE_SAs without renegotiating new ones, destroying the tunnel. Use auto=route (swanctl equivalent is start_action=trap), as advised previously. Kind regards Noel On 13.09.2017 17:38, Michael Schwartzkopff wrote: > Am 13.09.2017 um 17:33 schrieb Eric Germann: >> Usually if it "takes down the tunnel" it's due to no traffic. Keep >> interesting traffic going and it will stay up. >> >> If you have the ability to set "auto = route" it will reestablish the tunnel >> as needed. We run several hundred tunnels this way in AWS without issue. >> >> EKG >> >> >>> On Sep 13, 2017, at 09:21, Turbo Fredriksson wrote: >>> >>> I’m trying to setup a tunnel between two regions in >>> AWS. >>> >>> Works fine, other than the fact that Strongswan seems to take >>> down the tunnel automatically (?) after a few hours. >>> >>> How can I 1) make sure there’s no timeout (?) and 2) that IF >>> the tunnel goes down, for whatever reason, that it will reinitiate >>> the connection automatically? >>> > Dead Peer Detection (DPD) sends packets that keep the tunnel up. > > > Michael Schwartzkopff > > Mit freundlichen Grüßen, > signature.asc Description: OpenPGP digital signature
Re: [strongSwan] 24/7/365 tunnel?
Am 13.09.2017 um 17:33 schrieb Eric Germann: > Usually if it "takes down the tunnel" it's due to no traffic. Keep > interesting traffic going and it will stay up. > > If you have the ability to set "auto = route" it will reestablish the tunnel > as needed. We run several hundred tunnels this way in AWS without issue. > > EKG > > >> On Sep 13, 2017, at 09:21, Turbo Fredriksson wrote: >> >> I’m trying to setup a tunnel between two regions in >> AWS. >> >> Works fine, other than the fact that Strongswan seems to take >> down the tunnel automatically (?) after a few hours. >> >> How can I 1) make sure there’s no timeout (?) and 2) that IF >> the tunnel goes down, for whatever reason, that it will reinitiate >> the connection automatically? >> Dead Peer Detection (DPD) sends packets that keep the tunnel up. Michael Schwartzkopff Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein signature.asc Description: OpenPGP digital signature
Re: [strongSwan] 24/7/365 tunnel?
Usually if it "takes down the tunnel" it's due to no traffic. Keep interesting traffic going and it will stay up. If you have the ability to set "auto = route" it will reestablish the tunnel as needed. We run several hundred tunnels this way in AWS without issue. EKG > On Sep 13, 2017, at 09:21, Turbo Fredriksson wrote: > > I’m trying to setup a tunnel between two regions in > AWS. > > Works fine, other than the fact that Strongswan seems to take > down the tunnel automatically (?) after a few hours. > > How can I 1) make sure there’s no timeout (?) and 2) that IF > the tunnel goes down, for whatever reason, that it will reinitiate > the connection automatically? > smime.p7s Description: S/MIME cryptographic signature
[strongSwan] 24/7/365 tunnel?
I’m trying to setup a tunnel between two regions in AWS. Works fine, other than the fact that Strongswan seems to take down the tunnel automatically (?) after a few hours. How can I 1) make sure there’s no timeout (?) and 2) that IF the tunnel goes down, for whatever reason, that it will reinitiate the connection automatically? signature.asc Description: Message signed with OpenPGP