Hi Tobias, > Am 12.10.2021 um 10:02 schrieb Tobias Brunner <[email protected]>: > > Hi Patrick, > >> The phase 1 entries are all set to "start immediately" - these are all 24x7 >> pre-configured connections, though we use IKE, of course, and not manual >> SPDs. > > If there always is outbound traffic from your side, change the config to > something that results in auto=route instead of auto=start, so the tunnel > will automatically get (re-)created on matching traffic. But investigating > why it gets closed by the peer in the first place might also be worthwhile > (might be some inactivity timeout, which would contradict the "always > traffic" claim, or an issue during rekeying - you'll have to analyze the > logs).
I hardcoded "closeaction = restart" in the OPNsense script that generates the phase 2 entries and that seems to have done the trick. What I don't understand is the reason why "auto = start" does not also imply "restart whenever the tunnel drops for whatever reason". That seems to be what the retired commercial product does. And given the setup - enterprise gateway to gateway connects as a replacement for dedicated leased lines for cost reasons - I cannot picture any motivation not to keep all tunnels up 24x7. Even just one initial packet lost or delayed is one too many. I'll put the closeaction option into OPNsense and test "auto = route", but I'm still confused. ;-) Thanks! Patrick -- punkt.de GmbH Patrick M. Hausen .infrastructure Kaiserallee 13a 76133 Karlsruhe Tel. +49 721 9109500 https://infrastructure.punkt.de [email protected] AG Mannheim 108285 Geschäftsführer: Jürgen Egeling, Daniel Lienert, Fabian Stein
