Hi, we have various Strongswan instances (4.5.2, Ubuntu 12.04) running and connecting to various remote sites (customers, partners, etc) we have no control over. Most remote sites use some kind of Checkpoint or Cisco device, one uses a Watchguard Firebox. All tunnels use IKEv1. An example Strongswan connection config is shown below.
I have observed that when a connection/tunnel between our Strongswan
endpoint and a remote site has been idle for too long (no idea how long
exactly), i.e. no traffic went through the tunnel for some time, we need
to restart Strongswan on our side to re-enable traffic to the remote
site. Otherwise ping, SSH and anything else just time out. After a
restart everything instantly works again as expected.
This is very probably a configuration issue somewhere but I have no idea
where to start looking. I'd suspect things like keylife and ikelifetime
are candidates but as far as I can tell these two settings are the same
and correct on both sides.
I'd appreciate any hints on how to debug this.
Thanks in advance,
Andreas
conn us.example.com--them.example.net
type = tunnel
left = x.y.167.219
leftid = x.y.167.219
leftsubnet = 10.1.63.0/24
right = x.z.170.105
rightid = x.z.170.105
rightsubnet = 10.60.2.0/24
auth = esp
pfs = yes
pfsgroup = modp1024
compress = no
esp = aes256-sha1!
ike = aes256-sha1-modp1024!
ikelifetime = 28800s
keylife = 3600s
keyingtries = %forever
keyexchange = ikev1
authby = psk
dpdaction = restart
dpddelay = 30s
dpdtimeout = 20s
auto = start
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
