I’ve found auto=route to be much more stable in AWS. Spins up when it’s down but needed and starts passing traffic.
EKG > On Sep 14, 2017, at 6:21 AM, Turbo Fredriksson <[email protected]> wrote: > > I’ve been playing with: > > type=tunnel > auto=start > dpdaction=restart > dpddelay=2400s > > which never worked. I’ve now changed this to: > > type=tunnel > auto=start > dpdaction=restart > dpddelay=10 > dpdtimeout=60 > > and so far so good. Although I haven’t waited long enough, so I’m > going to let it be for the next few days to see if that works in the long > run. > > Would it help to set ‘auto=route’ instead? Thing is, I need this link to > be started at boot AND be up 24/7/365 - I have a (bunch of) web apps > in London that need access to databases in Ireland to work. > > > I’m considering setting up DBs in London as well, but that will both > cost a small fortune AND replication/updates on the DBs will be > problematic. So I’d prefer a “perfect” link between them... > > >> On 13 Sep 2017, at 20:16, Noel Kuntze >> <[email protected]> wrote: >> >> Hi, >> >> DPD just checks if the remote peer is still "there" and reachable. It >> doesn't do anything with the CHILD_SAs. >> It only helps to keep up the IKE_SA and keep it working (e.g. it wouldn't >> work anymore if the NAT mapping on an intermediate NAT router >> would expire). Peers are free to delete CHILD_SAs and IKE_SAs without >> renegotiating new ones, destroying the tunnel. >> >> Use auto=route (swanctl equivalent is start_action=trap), as advised >> previously. >> >> Kind regards >> >> Noel >> >> On 13.09.2017 17:38, Michael Schwartzkopff wrote: >>> Am 13.09.2017 um 17:33 schrieb Eric Germann: >>>> Usually if it "takes down the tunnel" it's due to no traffic. Keep >>>> interesting traffic going and it will stay up. >>>> >>>> If you have the ability to set "auto = route" it will reestablish the >>>> tunnel as needed. We run several hundred tunnels this way in AWS without >>>> issue. >>>> >>>> EKG >>>> >>>> >>>>> On Sep 13, 2017, at 09:21, Turbo Fredriksson <[email protected]> wrote: >>>>> >>>>> I’m trying to setup a tunnel between two regions in >>>>> AWS. >>>>> >>>>> Works fine, other than the fact that Strongswan seems to take >>>>> down the tunnel automatically (?) after a few hours. >>>>> >>>>> How can I 1) make sure there’s no timeout (?) and 2) that IF >>>>> the tunnel goes down, for whatever reason, that it will reinitiate >>>>> the connection automatically? >>>>> >>> Dead Peer Detection (DPD) sends packets that keep the tunnel up. >>> >>> >>> Michael Schwartzkopff >>> >>> Mit freundlichen Grüßen, >>> >> >
signature.asc
Description: Message signed with OpenPGP
