Hi Tom,

Thank you, I will give that a try. I also updated StrongSwan to v5.6.2.
Let's see if it helps!

Best regards,
Martijn.

Op 7-3-2018 om 16:35 schreef Tom Rymes:
> Martin,
>
> I can't help with the more technical portions of your query, but I can
> confirm that using auto=route has proven to be more reliable than
> auto=start, as a dropped tunnel seems more likely to be brought back
> up automatically.
>
> I had asked specifically about that setting a few years ago, and this
> is the advice I received:
>
> https://lists.strongswan.org/pipermail/users/2015-July/008552.html
>
> Tom
>
> On Mar 7, 2018, at 1:53 AM, Martijn Grendelman
> <martijn.grendel...@isaac.nl <mailto:martijn.grendel...@isaac.nl>> wrote:
>
>> Hi,
>>
>> I have been running StrongSwan on Debian Wheezy (with StrongSwan 4.5.2)
>> for a long time. We have about 70 ESP tunnels with 19 different
>> endpoints, most of them IKEv1. The setup has been rock solid for years,
>> with tunnel outages being extremely rare, and almost always the remote
>> side's fault.
>>
>> Last week, I upgraded the system to Debian Stretch (with StrongSwan
>> 5.5.1), and since then, a number of tunnels (but not all of them) have
>> stability issues. The issue appears to be that CHILD_SA's are not
>> established when needed, or they disappear after some time. I haven't
>> really discovered a pattern, and I'm a bit overwhelmed by Charon's
>> logging output at higher levels. The problems are restricted to IKEv1
>> connections, IKEv2 connections seem unaffected. There don't seem to be
>> any issues establishing IKE SAs.
>>
>> Since I didn't make any changes to the configuration in the course of
>> the upgrade, I can imagine that my config is not up to the standards of
>> version 5. I pasted relevant parts of my config below. Are there things
>> that can be improved?
>>
>> I am sorry I can't be more concrete. I am mostly looking for pointers on
>> how to solve the issues.
>>
>> If I want to know why a CHILD_SA is not established, what logging
>> settings should I use? I'd like some pointers to what kind of messages
>> to look for, and at what level from which subsystem they would be
>> logged. Currently, I have this:
>>
>>         /var/log/charon.log {
>>             time_format = %b %e %T
>>             ike_name = yes
>>             append = yes
>>             default = 1
>>             cfg = 4
>>             net = 0
>>             flush_line = yes
>>         }
>>
>> The problem is, that with 70 tunnels, raising the default log level
>> higher than 1 leads to A LOT of logging (GBs / day) which quickly
>> becomes hard to digest.
>>
>> Here are my 'default' config and some config samples for connections
>> that suffer from these problems. The example describes two tunnels to
>> the same endpoint. Only 'leftsubnet' differs. In total, there are 16
>> tunnels to this endpoint, all sharing the same IKE SA. They only differ
>> in left- and rightsubnet. Does this make sense?
>>
>> conn %default
>>         ikelifetime=8h
>>         keylife=1h
>>         rekeymargin=9m
>>         authby=secret
>>         keyexchange=ikev2
>>         mobike=no
>>         auto=start
>>         leftfirewall=no
>>         lefthostaccess=no
>>         closeaction=restart
>>         dpdaction=restart
>>         keyingtries=%forever
>>
>> conn hq_uk_b4a
>>         left=<left ip>
>>         leftsubnet=172.17.1.0/24
>>         right=<right ip>
>>         rightsubnet=10.53.13.0/24
>>         ike=aes256-sha1-modp1024
>>         esp=aes256-sha1-modp1024
>>         keyexchange=ikev1
>>         ikelifetime=8h
>>
>> conn hq_uk_b4b
>>         left=<left ip>
>>         leftsubnet=172.17.5.0/24
>>         right=<right ip>
>>         rightsubnet=10.53.13.0/24
>>         ike=aes256-sha1-modp1024
>>         esp=aes256-sha1-modp1024
>>         keyexchange=ikev1
>>         ikelifetime=8h
>>
>> Hoping for some useful pointers...
>>
>> Best regards,
>> Martijn Grendelman.
>>

-- 
Met vriendelijke groet,
Kind regards,
Martijn <mailto:martijn.grendel...@isaac.nl>            
Martijn Grendelman  Infrastructure Architect  
T: +31 (0)40 264 94 44   

ISAAC <https://www.isaac.nl>            
Marconilaan 16   5621 AA Eindhoven   The Netherlands
T: +31 (0)40 290 89 79   www.isaac.nl <https://www.isaac.nl>

Dit e-mail bericht is alleen bestemd voor de geadresseerde(n). Indien
dit bericht niet voor u is bedoeld wordt u verzocht de afzender hiervan
op de hoogte te stellen door het bericht te retourneren en de inhoud
niet te gebruiken. Aan dit bericht kunnen geen rechten worden ontleend.

Reply via email to