Martin, I can't help with the more technical portions of your query, but I can confirm that using auto=route has proven to be more reliable than auto=start, as a dropped tunnel seems more likely to be brought back up automatically.
I had asked specifically about that setting a few years ago, and this is the advice I received: https://lists.strongswan.org/pipermail/users/2015-July/008552.html Tom > On Mar 7, 2018, at 1:53 AM, Martijn Grendelman <martijn.grendel...@isaac.nl> > wrote: > > Hi, > > I have been running StrongSwan on Debian Wheezy (with StrongSwan 4.5.2) > for a long time. We have about 70 ESP tunnels with 19 different > endpoints, most of them IKEv1. The setup has been rock solid for years, > with tunnel outages being extremely rare, and almost always the remote > side's fault. > > Last week, I upgraded the system to Debian Stretch (with StrongSwan > 5.5.1), and since then, a number of tunnels (but not all of them) have > stability issues. The issue appears to be that CHILD_SA's are not > established when needed, or they disappear after some time. I haven't > really discovered a pattern, and I'm a bit overwhelmed by Charon's > logging output at higher levels. The problems are restricted to IKEv1 > connections, IKEv2 connections seem unaffected. There don't seem to be > any issues establishing IKE SAs. > > Since I didn't make any changes to the configuration in the course of > the upgrade, I can imagine that my config is not up to the standards of > version 5. I pasted relevant parts of my config below. Are there things > that can be improved? > > I am sorry I can't be more concrete. I am mostly looking for pointers on > how to solve the issues. > > If I want to know why a CHILD_SA is not established, what logging > settings should I use? I'd like some pointers to what kind of messages > to look for, and at what level from which subsystem they would be > logged. Currently, I have this: > > /var/log/charon.log { > time_format = %b %e %T > ike_name = yes > append = yes > default = 1 > cfg = 4 > net = 0 > flush_line = yes > } > > The problem is, that with 70 tunnels, raising the default log level > higher than 1 leads to A LOT of logging (GBs / day) which quickly > becomes hard to digest. > > Here are my 'default' config and some config samples for connections > that suffer from these problems. The example describes two tunnels to > the same endpoint. Only 'leftsubnet' differs. In total, there are 16 > tunnels to this endpoint, all sharing the same IKE SA. They only differ > in left- and rightsubnet. Does this make sense? > > conn %default > ikelifetime=8h > keylife=1h > rekeymargin=9m > authby=secret > keyexchange=ikev2 > mobike=no > auto=start > leftfirewall=no > lefthostaccess=no > closeaction=restart > dpdaction=restart > keyingtries=%forever > > conn hq_uk_b4a > left=<left ip> > leftsubnet=172.17.1.0/24 > right=<right ip> > rightsubnet=10.53.13.0/24 > ike=aes256-sha1-modp1024 > esp=aes256-sha1-modp1024 > keyexchange=ikev1 > ikelifetime=8h > > conn hq_uk_b4b > left=<left ip> > leftsubnet=172.17.5.0/24 > right=<right ip> > rightsubnet=10.53.13.0/24 > ike=aes256-sha1-modp1024 > esp=aes256-sha1-modp1024 > keyexchange=ikev1 > ikelifetime=8h > > Hoping for some useful pointers... > > Best regards, > Martijn Grendelman. >