[Swan] dead peer deduction not working
Dave Houser
davehouser1 at gmail.com
Fri Oct 15 21:34:31 UTC 2021
Hello,
I am trying to implement dead peer detection. However when the far end SA
kills the connection, the tunnel is never rebuilt. The tunnel will just
stay down until a new rekey is initialized by the far end SA, in which case
the connection will rebuild. BTW the far end is a Juniper SRX.
Here is the output of /var/log/pluto.log right after I kill the connection
on the far end, nothing else:
Oct 15 23:33:10.518021: "to-vsrx-01" #6: ESP traffic information: in=756B
out=1KB
Oct 15 23:33:10.584609: "to-vsrx-01" #3: established IKE SA
Here is my config:
conn to-vsrx-01
auto=start
keyexchange=ike
authby=secret
ike=aes256-sha2_256;dh20
esp=aes256-sha2_256
left=2.2.1.2
leftid=2.2.1.2
leftsubnet=172.21.0.0/29
leftupdown=/opt/_updown_vti01
right=3.3.0.2
rightsubnet=0.0.0.0/0
dpddelay=1s
dpdtimeout=1s
dpdaction=restart
Here is my leftupdown script I use
#!/bin/bash
set -o nounset
set -o errexit
VTI_IF="vti01"
case "${PLUTO_VERB}" in
up-client)
ip tunnel add $VTI_IF local 2.2.0.2 remote 3.3.0.2 mode vti key 42
ip link set $VTI_IF up
ip addr add 172.21.0.3 dev $VTI_IF
ip route add 172.21.0.0/29 dev $VTI_IF
ip route add 10.0.26.0/24 dev $VTI_IF
sysctl -w "net.ipv4.conf.$VTI_IF.disable_policy=1"
sysctl -w "net.ipv4.conf.$VTI_IF.rp_filter=0"
sysctl -w "net.ipv4.conf.$VTI_IF.forwarding=1"
;;
down-client)
ip tunnel del $VTI_IF
;;
esac
Am I misunderstanding what the dpd settings do? I need this tunnel to try
to re-establish if it ever goes down. How can I accomplish this?
- Dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211015/e15d795d/attachment-0001.html>
More information about the Swan
mailing list