[Swan] dead peer deduction not working

[Dave Houser]

Hello,

I am trying to implement dead peer detection. However when the far end SA
kills the connection, the tunnel is never rebuilt. The tunnel will just
stay down until a new rekey is initialized by the far end SA, in which case
the connection will rebuild. BTW the far end is a Juniper SRX.

Here is the output of /var/log/pluto.log right after I kill the connection
on the far end, nothing else:

Oct 15 23:33:10.518021: "to-vsrx-01" #6: ESP traffic information: in=756B
out=1KB
Oct 15 23:33:10.584609: "to-vsrx-01" #3: established IKE SA


Here is my config:

conn to-vsrx-01
    auto=start
    keyexchange=ike
    authby=secret
    ike=aes256-sha2_256;dh20
    esp=aes256-sha2_256
    left=2.2.1.2
    leftid=2.2.1.2
    leftsubnet=172.21.0.0/29
    leftupdown=/opt/_updown_vti01
    right=3.3.0.2
    rightsubnet=0.0.0.0/0
    dpddelay=1s
    dpdtimeout=1s
    dpdaction=restart

Here is my leftupdown script I use

#!/bin/bash

set -o nounset
set -o errexit

VTI_IF="vti01"

case "${PLUTO_VERB}" in
    up-client)
        ip tunnel add $VTI_IF local 2.2.0.2 remote 3.3.0.2 mode vti key 42
        ip link set $VTI_IF up
        ip addr add  172.21.0.3 dev $VTI_IF
        ip route add 172.21.0.0/29 dev $VTI_IF
        ip route add 10.0.26.0/24 dev $VTI_IF
        sysctl -w "net.ipv4.conf.$VTI_IF.disable_policy=1"
        sysctl -w "net.ipv4.conf.$VTI_IF.rp_filter=0"
        sysctl -w "net.ipv4.conf.$VTI_IF.forwarding=1"
        ;;
    down-client)
        ip tunnel del $VTI_IF
        ;;
esac

Am I misunderstanding what the dpd settings do? I need this tunnel to try
to re-establish if it ever goes down. How can I accomplish this?

- Dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211015/e15d795d/attachment-0001.html>