Hi Harald, > dpdaction = hold
This makes not much sense for roadwarrior connections as the installed trap policy won't allow the gateway to establish a new SA with a disappeared client. In particular because virtual IPs are used and the authentication is asymmetric, that is, it's always the client that has to initiate the connection. Use `clear` instead to just remove the state on the server. > dpddelay = 30s This together with dpdtimeout (which defaults to 150s) is probably too low. The Mac OS X client apparently expects some state to still be available when it reconnects after waking up (maybe it does not expect the server to use DPD and remove its state at all). Since the client doesn't do a Mode Config exchange when reconnecting (this looks the same when Mac OS X clients reauthenticate) this only works if the server still has the the previous IKE_SA available (including the previously assigned virtual IP), which allows it to detect this new connection as reauthentication and migrate the virtual IP to the new SA. Since that's not the case here you'll end up with the following error: > Mar 7 07:37:47 srvl047 charon: 15[CFG] looking for a child config for > 172.19.96.0/19 === 172.19.97.68/32 > Mar 7 07:37:47 srvl047 charon: 15[CFG] proposing traffic selectors for us: > Mar 7 07:37:47 srvl047 charon: 15[CFG] 172.19.96.0/19 > Mar 7 07:37:47 srvl047 charon: 15[CFG] proposing traffic selectors for other: > Mar 7 07:37:47 srvl047 charon: 15[CFG] dynamic > Mar 7 07:37:47 srvl047 charon: 15[IKE] no matching CHILD_SA config found As you can see the client proposes its previous virtual IP 172.19.97.68/32 as local traffic selector, but because the server has no knowledge about that VIP it can't replace the dynamic traffic selector in its own configuration and there is no match. I'd try to increase the dpdtimeout and/or dpddelay settings so that clients may be suspended for longer periods. Regards, Tobias _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
