> Further, I assumed regardless of what happens (short of > something catastrophic/fatal, like the unavailability of a critical > system resource), strongSwan should always keep trying, forever. Is > this an incorrect assumption?
Depending on your configuration, it should in most cases keep the tunnel up. What you have seen here, though, is a special case: the IKE_SA rekeying could not refresh the tunnel in time before the hard lifetime of the SA is reached. And as we really want to enforce the lifetime limit, the tunnel gets closed. DPD does not trigger, as the peer actually responds. A responder could enforce tunnel re-establishment using a close-action (configured as dpd_action in ipsec.conf). The initiator of the delete currently does not enforce the close action for tunnels it deletes. And this does not make a lot of sense, as it shouldn't happen in a properly configured setup. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
