Hello Daniel, we had a problem with the IKEv2 charon daemon which sometimes deleted the IPsec policies together with the IPsec SAs even though the policies very permanently installed via auto=route. This bug was fixed though and strongswan-4.3.5 should behave properly
Regards Andreas Daniel Mentz wrote: > Hello Andreas Steffen, > > this is an interesting topic. I'm wondering whether people should be > advised to add > > dpdaction=hold > > to their ipsec.conf. > I tried to setup a configuration that is similar to Andreas Schuldei's. > The thing that was special about my setup is that it uses an ADSL dialup > connection that disconnects every 24 hours. As a result, the ppp0 > interface disappears and reappears shortly after. > > The problem I experienced was that the tunnel did not survive this short > outage and strongSwan failed the connection. What made me worry is that > strongSwan deleted the IPsec policy completely. The consequence was that > traffic was sent unprotected i.e. unencrypted! > > If I set auto=route, I expect strongSwan to setup the IPsec policy and > refrain from deleting it *in any event*. > > Please correct me when I'm wrong. > > -Daniel > > > Andreas Steffen wrote: >> Hello Andreas, >> >> set up all the connections with >> >> auto=route >> >> which will install only the corresponding IPsec policies in the >> Linux kernel. As soon as the first packet wants to leave a host >> in direction to another host for which a secure connection is >> defined, the matching IPsec policy will trigger the IKE daemon >> and cause it to negotiate the IPsec tunnel just in time. >> >> Best regards >> >> Andreas >> >> Andreas Schuldei wrote: >>> hi! >>> >>> i would like to inititate my SAa "just in time", meaning that they >>> should only set up the secure connection when there is real traffic, >>> not ahead of time. >>> >>> background to that is that i want to do a full mash of host-to-host >>> transports, both within one site in order to get rid of firewalls per >>> site, and between sites, to avoid setting up tunnels between sites. >>> >>> not every host will talk to every other host all the time, but they >>> might need to talk to any given host within the whole setup sooner or >>> later. in order to not having to initiate a connection to every other >>> host at ipsec startup i would like to configure strongswan in a way >>> that it would only set up the secure host-to-host transport when its >>> needed. otherwise i might be DoSing myself when a whole site gets cut >>> off from the net and then later comes back again and a few hundret >>> servers initiate connections to the rest of the network all at once. >>> >>> how can i solve that? >>> >>> /andreas ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
