<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
I tell a slight lie. The tunnel eventually came back up in 12.5 min,
but next time I tested it, after 1h20 it did not come back up until
I tried to pass traffic from the remote end to local.<br>
<br>
<div class="moz-cite-prefix">On 02/05/2019 14:13, Nick Howitt wrote:<br>
</div>
<blockquote type="cite"
cite="mid:e438ab71-5c6d-95e9-2386-f4fed5a16474@howitts.co.uk">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
I have an IKEv2 conn with one end behind NAT:<br>
Nat'd (remote):<br>
conn nick-ikev2<br>
type=tunnel<br>
authby=secret<br>
auto=start<br>
left=10.20.40.248<br>
leftsourceip=192.168.20.1<br>
leftsubnet=192.168.20.0/24<br>
leftid=@clearos_in_clearvm<br>
right=my.fqdn<br>
rightsubnet=172.17.2.0/24<br>
rightid=@nick<br>
ikev2=insist<br>
dpdaction=restart<br>
dpdtimeout=120<br>
dpddelay=30<br>
<br>
Other (local) end:<br>
conn nick-ikev2<br>
type=tunnel<br>
authby=secret<br>
auto=add<br>
left=%any<br>
#left=209.90.117.194<br>
leftsubnet=192.168.20.0/24<br>
leftid=@clearos_in_clearvm<br>
right=%defaultroute<br>
rightsubnet=172.17.2.0/24<br>
rightsourceip=172.17.2.1<br>
rightid=@nick<br>
ikev2=insist<br>
dpdaction=restart<br>
dpdtimeout=120<br>
dpddelay=30<br>
rekey=no<br>
salifetime=9h<br>
ikelifetime=2h<br>
<br>
The tunnel comes up fine. If I then reload the conn at the local
end, the tunnel does not automatically reconnect until I do an
"ipsec auto --start nick-ikev2" at the remote end. Shouldn't the
tunnel be automatically reconnecting within 2 1/2 minutes (delay +
timeout)? Note it does not matter if left=%any or
left=209.90.117.194 - the results are the same.<br>
<br>
Using tcpdump at the remote end:<br>
tcpdump -nn -i eth0 'host 90.255.224.113 and (port 500 or port
4500)'<br>
<br>
This shows nothing at all, as if no DPD packets are being sent.
Obviously a similar tcpdump at the other end shows nothing being
received.<br>
<br>
Using libreswan-3.25-4.1.el7_6.x86_64.<br>
<br>
Regards,<br>
<br>
Nick<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Swan mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
</blockquote>
<br>
</body>
</html>