Hello Paul, pleased to meet you. I do have "auto=start" configured, but unfortunately, it behaves differently.
The opposite end is also VTI on a Cisco router, and the VTI on my side does not comes up, no matter what happens. I tried to delete SAs on both sides (till there's no SA shown on my side, using "ip xfrm state"), playing with right/left subnets and then generating traffic accordingly (now the subnets are 0.0.0.0/0), issuing "ipsec whack --listen", since sometimes I bring the tunnel down by unplugging the cable and then Pluto does not resume listening automatically. All to no avail, unfortunately. As far as I remember, debugs on Cisco side does not indicate incoming re-establishment tries. At least, not full IKE negotiations (maybe there's something, but very limited at most). What I discovered, is that re-adding the connection and then using "--up" will bring it up, restarting the IPSEC service will also bring it up automatically and (surprisingly, to some extent) shutting Pluto down ("ipsec whack --shutdown"). Maybe I'm doing something wrong, that's why I'm seeking help here. Thank you. בתאריך 19 בינו' 2018 4:11 AM, "Paul Wouters" <p...@nohats.ca> כתב: > On Thu, 18 Jan 2018, Alex K. wrote: > > What are the possible ways to bring a Libreswan VTI up? >> >> Let me elaborate the situation a little bit - I have a Libreswan 3.21 >> compiled from sources on Debian Stretch as. Anyhow, I have a >> basic VTI setup according to the example on Libreswan website. >> > > Using the vti options in the connection is the best way. Then, > the VTI interfaces are created/deleted when the tunnels go up > or down. You can do things manually too using the "ip tun" > command, but I wouldn't recommend it. > > On system startup, everything works just fine. The question is, how can I >> bring the tunnel up (after say, a restart to the opposite >> end), *without* manual intervention? >> >> Sure, I can always get to the box, get the terminal up and run "sudo >> ipsec auto --add vti1", following "--up". But say I'm not on >> site right now or wish to plan for better VPN recovery setup, what are my >> possibilities? Can some traffic bring the VTI up? Is there >> a keep alive/always up setting? >> > > If you have auto=start, whenever the tunnel goes down, it will > automatically try to restart. Even if the other end send you > a delete request. > > When using auto=ondemand, if the tunnel goes down, it will only > be brought back up when there is traffic to trigger the tunnel. > > Paul >
_______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan