Hi,at one of our sites we are experiencing intermittent connection problems thanks to our ISP (hosts unreachable, timeouts, etc). This has been going on for weeks now and it affects the stability of our established IPSec tunnels to client sites. We are using StrongSwan 4.3.2 on Ubuntu 10.04.2 Server. Before the problems began the tunnels were running fine for months so I doubt this is a configuration problem on our end.
Running "ipsec restart" after such a connection problem occured re-establishes the tunnel and connectivity is restored. Before restarting the tunnels seem to be in a state described by "ipsec statusall" as follows (hope this is legible, the lines are quite long):
000 "conn0": 80.x.y.112/32===80.x.y.112---80.x.y.100...192.z.k.4===10.10.30.28/32; prospective erouted; eroute owner: #0 000 "conn0": ike_life: 86400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "conn0": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 32,32; interface: eth1;
000 "conn0": newest ISAKMP SA: #0; newest IPsec SA: #0;000 #12236: "conn0" STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 27s
000 80.x.y.112/32:0 -> 10.10.30.28/32:22 => %hold:6 0 %acquire-netlinkWhat can I do to debug this and possible even prevent it from happening? Any hints or pointers are welcome, especially RTFM links. I attached the ipsec.conf file for this example tunnel, if needed.
Thanks in advance! Andreas
config setup
plutodebug=none
charonstart=no
plutostart=yes
conn conn0:
type = tunnel
left = %defaultroute
leftid = 80.x.y.112
leftsourceip = 80.x.y.112
right = 192.z.k.4
rightsubnet = 10.10.30.28/32
auth = esp
pfs = yes
pfsgroup = modp1536
compress = no
esp = 3des-sha1!
ike = 3des-sha1-modp1536!
ikelifetime = 86400s
keylife = 3600s
keyingtries = %forever
keyexchange = ikev1
authby = psk
auto = start
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
