Hi, DPD just checks if the remote peer is still "there" and reachable. It doesn't do anything with the CHILD_SAs. It only helps to keep up the IKE_SA and keep it working (e.g. it wouldn't work anymore if the NAT mapping on an intermediate NAT router would expire). Peers are free to delete CHILD_SAs and IKE_SAs without renegotiating new ones, destroying the tunnel.
Use auto=route (swanctl equivalent is start_action=trap), as advised previously. Kind regards Noel On 13.09.2017 17:38, Michael Schwartzkopff wrote: > Am 13.09.2017 um 17:33 schrieb Eric Germann: >> Usually if it "takes down the tunnel" it's due to no traffic. Keep >> interesting traffic going and it will stay up. >> >> If you have the ability to set "auto = route" it will reestablish the tunnel >> as needed. We run several hundred tunnels this way in AWS without issue. >> >> EKG >> >> >>> On Sep 13, 2017, at 09:21, Turbo Fredriksson <[email protected]> wrote: >>> >>> I’m trying to setup a tunnel between two regions in >>> AWS. >>> >>> Works fine, other than the fact that Strongswan seems to take >>> down the tunnel automatically (?) after a few hours. >>> >>> How can I 1) make sure there’s no timeout (?) and 2) that IF >>> the tunnel goes down, for whatever reason, that it will reinitiate >>> the connection automatically? >>> > Dead Peer Detection (DPD) sends packets that keep the tunnel up. > > > Michael Schwartzkopff > > Mit freundlichen Grüßen, >
signature.asc
Description: OpenPGP digital signature
