-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 You need to use auto=route, otherwise the tunnel will not be established (anymore) if it ever gets deleted by one side, a fatal error is encountered or it can not be established in the first place.
On 14.09.2017 12:23, Eric Germann wrote: > I’ve found auto=route to be much more stable in AWS. Spins up when it’s down > but needed and starts passing traffic. > > EKG > >> On Sep 14, 2017, at 6:21 > AM, Turbo Fredriksson <[email protected]> wrote: >> >> I’ve been playing with: > >> >> type=tunnel >> auto=start >> dpdaction=restart >> dpddelay=2400s >> >> > which never worked. I’ve now changed this to: >> >> type=tunnel >> auto=start > >> dpdaction=restart >> dpddelay=10 >> dpdtimeout=60 >> >> and so far so > good. Although I haven’t waited long enough, so I’m >> going to let it be for > the next few days to see if that works in the long >> run. >> >> Would it > help to set ‘auto=route’ instead? Thing is, I need this link to >> be started > at boot AND be up 24/7/365 - I have a (bunch of) web apps >> in London that > need access to databases in Ireland to work. >> >> >> I’m considering setting > up DBs in London as well, but that will both >> cost a small fortune AND > replication/updates on the DBs will be >> problematic. So I’d prefer a > “perfect” link between them... >> >> >>> On 13 Sep 2017, at 20:16, Noel Kuntze <[email protected]> wrote: >>> >>> Hi, >>> >>> DPD just checks if the remote peer is still "there" and reachable. It doesn't do anything with the CHILD_SAs. >>> It only helps to keep up the IKE_SA and keep it working (e.g. it wouldn't work anymore if the NAT mapping on an intermediate NAT router >>> would expire). Peers are free to delete CHILD_SAs and IKE_SAs without renegotiating new ones, destroying the tunnel. >>> >>> Use auto=route (swanctl equivalent is start_action=trap), as advised previously. >>> >>> Kind regards >>> >>> Noel >>> >>> On 13.09.2017 17:38, Michael Schwartzkopff wrote: >>>> Am 13.09.2017 um 17:33 schrieb Eric Germann: >>>>> Usually if it "takes down the tunnel" it's due to no traffic. Keep interesting traffic going and it will stay up. >>>>> >>>>> If you have the ability to set "auto = route" it will reestablish the tunnel as needed. We run several hundred tunnels this way in AWS without issue. >>>>> >>>>> EKG >>>>> >>>>> >>>>>> On Sep 13, 2017, at 09:21, Turbo Fredriksson <[email protected]> wrote: >>>>>> >>>>>> >>>>>> I’m trying to setup a tunnel between two regions in >>>>>> >>>>>> AWS. >>>>>> >>>>>> Works fine, other than the fact that Strongswan seems >>>>>> to take >>>>>> down the tunnel automatically (?) after a few hours. >>>>>> >>>>>> >>>>>> How can I 1) make sure there’s no timeout (?) and 2) that >>>>>> IF >>>>>> the tunnel goes down, for whatever reason, that it will >>>>>> reinitiate >>>>>> the connection automatically? >>>>>> >>>> Dead Peer >>>>>> Detection (DPD) sends packets that keep the tunnel up. >>>> >>>> >>>> >>>>>> Michael Schwartzkopff >>>> >>>> Mit freundlichen Grüßen, >>>> >>> >> > >>>>>> -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEENSSTvrX3jmMTcq8t9U7kCwc5rWwFAlm6X6cACgkQ9U7kCwc5 rWy5Cg/+P02oFmCJwB9qiREw4DXCRZRCo8HAeC6mlP0P95PfvWy4Lr20LX1SMNhw PBgm7c7dQHyKjQO/fqGPTB4kbi03Or5lYtyYLc3Y1YDJ79W2OpVTCiHoaznleyW6 elVZyPBhxeZYYWI4FekcgOB9vS+ek8Jbz2FNI+16b7hfHwN3QnkU1X5DH9oVkO+J aW0ywUwKgNMMxtDEmFvUffBb/uxJ1DOq4XHaNIYNicOQ6wkbc3GMlbVh6Bz7MUbI RJutqLiZqMy7Da6VPP6Xf+Y1ogvCLPmzqDHCxhwCrw2b3BBgOSpNqMzV+37h5POh qTFabCd42PC8lNm8BGrEixvVk3GqHkIshaww0bdqrYYdYh3DQHqbBfQsWCS62r8q iSrccp4CUxSzTp5VEcGT8GFPAXT7lcsovl2iPnAodl9TMiksh9JqzwhIZy0DPiAA JgB+AwFk8mTZZXmr2WDHQo2cUI8u+ZRuh5mOYSqgBNebOUuFUBA7X/uHuKFwhugg F1QWG2QFF3CljSjZKY27YpSDh6Hf2IGk+RiKfQbVhpBMF9QjlSyXIc6wbceol9y/ 621zjVb5JpNbu7UYslCoUAQkjGFpjPGAtsiqpfPYObTmoA8rSrlbcV0y9+BrXbHV bGFQi1ktqUC5h2Lio5S0PnIRtrGOKhX23dfbUA0VKUJCqXzP+GI= =W4nf -----END PGP SIGNATURE-----
