<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Rather than restart ipsec which restarts all conns, can you do it on
a per-conn basis using the "ipsec auto delete/replace/add/start"
commands?<br>
<br>
<div class="moz-cite-prefix">On 10/10/2018 15:38, Whit Blauvelt
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:20181010143810.GA19343@black.transpect.com">
<pre wrap="">
Hi,
What's best practice for restarting a connection when the internal dead peer
detection isn't enough? In past years with Openswan I've run a script
pinging an address in each remote subnet, restarting ipsec if there are
persistent failures to respond on any of them. Libreswan tunnels get into a
bad state less often (Cisco ASAs on the other end); but nonetheless, despite
dpd being enabled, can get into a state where traffic is failing, and an
instant restart of ipsec has risk involved. Yesterday with one tunnel
failing seemingly entirely, restarting ipsec resulted in several subnets on
a second tunnel becoming unusable, and this through several restarts
(although not the same subnets each time), until I waited a full minute for
the restart.
So to not have to be woken in the middle of the night if this gets into a
similar state again, I need to get that test script up again, and presumably
introduce a delay in it so it shuts down ipsec, waits somthing like a
minute, and then starts it again. Or I need to find a better strategy.
What's clear is that dpd needs an external backup to get to automated
reliability. This sort of bad state is thankfully infrequent; but I have to
prepare for it.
All advice will be welcome.
Thanks,
Whit
_______________________________________________
Swan mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
</blockquote>
<br>
</body>
</html>