Hello Eric, Please don't unnecessarily censor the emails and follow the guide on the HelpRequests[1] page (particularly the bit about the logs). Also your logging is way too verbose for anything useful.
Kind regards Noel [1] http://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests Am 10.01.20 um 17:33 schrieb [email protected]: > Using StrongSwan v5.7.1 on an embedded Linux system, I have an ipsec network > setup where multiple devices(workers) will create tunnels to a single > device(master). I’m having trouble with a scenario where when a new > device(worker) comes online and a tunnel is created to the master device, the > previously connected tunnels go down. A dpdaction to restart on previously > connected tunnels will re-establish the previously connected tunnels, but > then that new device tunnel goes down. This creates a loop where tunnels are > continuous going down and up, and the tunnels are never stable and all up at > once. Running an `ipsec update` or `ipsec reload` on the master device does > not change this tunnel down/up loop. > > > > I’m using Systemd to run the strongswan service. I’ve found that a `systemctl > restart strongswan` on the master device will stop the continuous down/up of > tunnels. I can script the master device to run `systemctl restart strongswan` > after new devices(workers) establish a tunnel; however if one of the multiple > devices(workers) happens to reboot, then after the reboot, the device tunnel > to master device will cause all existing to master to drop once again. > Writing a service on the master device to detect when worker devices reboot > and to restart strongswan is not as feasible. > > > > Has anyone ran into a similar issue and can help suggest what is a good > course of action to take? I’m not sure if I am missing something in my ipsec > configuration. Any suggestions or feedback would be helpful and greatly > appreciated! > > > > Here is what my ipsec.conf files look like from master device & worker device: > > > > # Master ipsec.conf > > config setup > > strictcrlpolicy=no > > charondebug="ike 4, knl 4, > cfg 2" > > uniqueids = no > > conn %default > > rekey=no > > ike=aes256-sha256-modp2048 > > esp=aes256-sha256-modp2048 > > auto=start > > dpddelay=30 > > dpdtimeout=120 > > dpdaction=restart > > conn tunnel10.207.15.85-10.207.15.70 > > keyexchange=ikev2 > > left=10.207.15.85 > > leftsubnet= > > leftcert=peerCert.pem > > right=10.207.15.70 > > rightsubnet= > > leftid="C=US, O=Vertiv, > CN=peer" > > rightid="C=US, O=Vertiv, > CN=peer" > > conn tunnel10.96.0.1-10.207.15.70 > > keyexchange=ikev2 > > left=10.207.15.85 > > leftsubnet=10.96.0.1 > > leftcert=peerCert.pem > > right=10.207.15.70 > > rightsubnet= > > leftid="C=US, O=Vertiv, > CN=peer" > > rightid="C=US, O=Vertiv, > CN=peer" > > conn tunnel10.207.15.85-10.207.15.23 > > keyexchange=ikev2 > > left=10.207.15.85 > > leftsubnet= > > leftcert=peerCert.pem > > right=10.207.15.23 > > rightsubnet= > > leftid="C=US, O=Vertiv, > CN=peer" > > rightid="C=US, O=Vertiv, > CN=peer" > > conn tunnel10.96.0.1-10.207.15.23 > > keyexchange=ikev2 > > left=10.207.15.85 > > leftsubnet=10.96.0.1 > > leftcert=peerCert.pem > > right=10.207.15.23 > > rightsubnet= > > leftid="C=US, O=Vertiv, > CN=peer" > > rightid="C=US, O=Vertiv, > CN=peer" > > > > > > # Worker ipsec.conf > > config setup > > strictcrlpolicy=no > > charondebug="ike 4, knl 4, > cfg 2" > > uniqueids = no > > conn %default > > rekey=no > > ike=aes256-sha256-modp2048 > > esp=aes256-sha256-modp2048 > > auto=start > > dpddelay=30 > > dpdtimeout=120 > > dpdaction=restart > > conn tunnel10.207.15.85-10.207.15.70 > > keyexchange=ikev2 > > right=10.207.15.85 > > rightsubnet= > > left=10.207.15.70 > > leftsubnet= > > leftcert=peerCert.pem > > leftid="C=US, O=Vertiv, > CN=peer" > > rightid="C=US, O=Vertiv, > CN=peer" > > conn tunnel10.96.0.1-10.207.15.70 > > keyexchange=ikev2 > > right=10.207.15.85 > > rightsubnet=10.96.0.1 > > left=10.207.15.70 > > leftsubnet= > > leftcert=peerCert.pem > > leftid="C=US, O=Vertiv, > CN=peer" > > rightid="C=US, O=Vertiv, > CN=peer" > > CONFIDENTIALITY NOTICE: This e-mail and any files transmitted with it are > intended solely for the use of the individual or entity to whom they are > addressed and may contain confidential and privileged information protected > by law. If you received this e-mail in error, any review, use, dissemination, > distribution, or copying of the e-mail is strictly prohibited. Please notify > the sender immediately by return e-mail and delete all copies from your > system.
signature.asc
Description: OpenPGP digital signature
