I’ve been playing with:
type=tunnel
auto=start
dpdaction=restart
dpddelay=2400s
which never worked. I’ve now changed this to:
type=tunnel
auto=start
dpdaction=restart
dpddelay=10
dpdtimeout=60
and so far so good. Although I haven’t waited long enough, so I’m
going to let it be for the next few days to see if that works in the long
run.
Would it help to set ‘auto=route’ instead? Thing is, I need this link to
be started at boot AND be up 24/7/365 - I have a (bunch of) web apps
in London that need access to databases in Ireland to work.
I’m considering setting up DBs in London as well, but that will both
cost a small fortune AND replication/updates on the DBs will be
problematic. So I’d prefer a “perfect” link between them...
> On 13 Sep 2017, at 20:16, Noel Kuntze
> <[email protected]> wrote:
>
> Hi,
>
> DPD just checks if the remote peer is still "there" and reachable. It doesn't
> do anything with the CHILD_SAs.
> It only helps to keep up the IKE_SA and keep it working (e.g. it wouldn't
> work anymore if the NAT mapping on an intermediate NAT router
> would expire). Peers are free to delete CHILD_SAs and IKE_SAs without
> renegotiating new ones, destroying the tunnel.
>
> Use auto=route (swanctl equivalent is start_action=trap), as advised
> previously.
>
> Kind regards
>
> Noel
>
> On 13.09.2017 17:38, Michael Schwartzkopff wrote:
>> Am 13.09.2017 um 17:33 schrieb Eric Germann:
>>> Usually if it "takes down the tunnel" it's due to no traffic. Keep
>>> interesting traffic going and it will stay up.
>>>
>>> If you have the ability to set "auto = route" it will reestablish the
>>> tunnel as needed. We run several hundred tunnels this way in AWS without
>>> issue.
>>>
>>> EKG
>>>
>>>
>>>> On Sep 13, 2017, at 09:21, Turbo Fredriksson <[email protected]> wrote:
>>>>
>>>> I’m trying to setup a tunnel between two regions in
>>>> AWS.
>>>>
>>>> Works fine, other than the fact that Strongswan seems to take
>>>> down the tunnel automatically (?) after a few hours.
>>>>
>>>> How can I 1) make sure there’s no timeout (?) and 2) that IF
>>>> the tunnel goes down, for whatever reason, that it will reinitiate
>>>> the connection automatically?
>>>>
>> Dead Peer Detection (DPD) sends packets that keep the tunnel up.
>>
>>
>> Michael Schwartzkopff
>>
>> Mit freundlichen Grüßen,
>>
>
signature.asc
Description: Message signed with OpenPGP
