Hello,
I am trying to implement dead peer detection. However when the far end SA
kills the connection, the tunnel is never rebuilt. The tunnel will just
stay down until a new rekey is initialized by the far end SA, in which case
the connection will rebuild. BTW the far end is a Juniper SRX.
Here is the output of /var/log/pluto.log right after I kill the connection
on the far end, nothing else:
Oct 15 23:33:10.518021: "to-vsrx-01" #6: ESP traffic information: in=756B
out=1KB
Oct 15 23:33:10.584609: "to-vsrx-01" #3: established IKE SA
Here is my config:
conn to-vsrx-01
auto=start
keyexchange=ike
authby=secret
ike=aes256-sha2_256;dh20
esp=aes256-sha2_256
left=2.2.1.2
leftid=2.2.1.2
leftsubnet=172.21.0.0/29
leftupdown=/opt/_updown_vti01
right=3.3.0.2
rightsubnet=0.0.0.0/0
dpddelay=1s
dpdtimeout=1s
dpdaction=restart
Here is my leftupdown script I use
#!/bin/bash
set -o nounset
set -o errexit
VTI_IF="vti01"
case "${PLUTO_VERB}" in
up-client)
ip tunnel add $VTI_IF local 2.2.0.2 remote 3.3.0.2 mode vti key 42
ip link set $VTI_IF up
ip addr add 172.21.0.3 dev $VTI_IF
ip route add 172.21.0.0/29 dev $VTI_IF
ip route add 10.0.26.0/24 dev $VTI_IF
sysctl -w "net.ipv4.conf.$VTI_IF.disable_policy=1"
sysctl -w "net.ipv4.conf.$VTI_IF.rp_filter=0"
sysctl -w "net.ipv4.conf.$VTI_IF.forwarding=1"
;;
down-client)
ip tunnel del $VTI_IF
;;
esac
Am I misunderstanding what the dpd settings do? I need this tunnel to try
to re-establish if it ever goes down. How can I accomplish this?
- Dave
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
