Jiri, > Our requirement is to keep retrying the tunnel no matter what happens, > so I ended up with config like below for each host.
> It seems that strongswan just stopped trying to connect to > some of the nodes (the failed "tunnels" are between different nodes, the > distribution seems to be random). I am out of ideas why strongswan gave > up trying and how to force real "forever retry". > keyingtries=%forever > dpdaction=restart > closeaction=restart > auto=start Even with such a configuration, there is no guarantee that your tunnel comes up. strongSwan gives up tunnel negotiation if it fails with a permanent error. To realize always-up tunnels, I recommend to use auto=route for your connections. This installs trap policies, and negotiates tunnels on demand. The kernel ensures that no matching plain traffic leaves your box, but instead it triggers a new tunnel should one fail for whatever reason. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
