Hi Andreas, from you ipsec.conf file I see that you configured
dpddelay = 30s
dpdtimeout = 20s
with dpdtimeout being shorter than dpdelay. This means that
your connection restarts before the first DPD check happens.
We recommend for dpdtimeout to be betwen 4-5 times higher
than dpddelay, so that the connection is cut only if 4-5
keep-alive packets are not received. In your case:
dpddelay = 30s
dpdtimeout = 150s
Regards
Andreas
On 03.04.2013 00:29, Andreas Ntaflos wrote:
Hi,
we have various Strongswan instances (4.5.2, Ubuntu 12.04) running and
connecting to various remote sites (customers, partners, etc) we have no
control over. Most remote sites use some kind of Checkpoint or Cisco
device, one uses a Watchguard Firebox. All tunnels use IKEv1. An example
Strongswan connection config is shown below.
I have observed that when a connection/tunnel between our Strongswan
endpoint and a remote site has been idle for too long (no idea how long
exactly), i.e. no traffic went through the tunnel for some time, we need
to restart Strongswan on our side to re-enable traffic to the remote
site. Otherwise ping, SSH and anything else just time out. After a
restart everything instantly works again as expected.
This is very probably a configuration issue somewhere but I have no idea
where to start looking. I'd suspect things like keylife and ikelifetime
are candidates but as far as I can tell these two settings are the same
and correct on both sides.
I'd appreciate any hints on how to debug this.
Thanks in advance,
Andreas
conn us.example.com--them.example.net
type = tunnel
left = x.y.167.219
leftid = x.y.167.219
leftsubnet = 10.1.63.0/24
right = x.z.170.105
rightid = x.z.170.105
rightsubnet = 10.60.2.0/24
auth = esp
pfs = yes
pfsgroup = modp1024
compress = no
esp = aes256-sha1!
ike = aes256-sha1-modp1024!
ikelifetime = 28800s
keylife = 3600s
keyingtries = %forever
keyexchange = ikev1
authby = psk
dpdaction = restart
dpddelay = 30s
dpdtimeout = 20s
auto = start
====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
