01-15-2014 10:36 AM - edited 01-15-2014 10:39 AM
I am using Debian in a VM (Xen XT) to launch a strongSwan site to site tunnel to an Aruba controller. Works great and is very repeatable. Scipting handles the connections. Debian sees the network interface come up and launches strongSwan. Pretty sweet. The problem that I am seeing is that when the tunnel has become inactive for a time the strongSwan side closes the tunnel.
On the Aruba side when the strongSwan goes down I see the IPSEC SA go down or cease to exist. But I still see the ISAKMP side as active.
When the Debian VM comes alive and tried to launch the tunnel, is appears that the ISAMKP SA being active is causing the strongSwan attempt at a tunnel to fail. If I clear the isakmp sa, the strongSwan connects faster than I can type the command "show crypto ipsec sa". Since this is a test configuration is a working enterprise when the situation occurs I can login and clear ISAKMP, but I need this to be a hair more automated. I played with the DPD timer which is currently set at 30 seconds on both sides.
crypto-local isakmp dpd idle-timeout 30 retry-timeout 2 retry-attempts 3
Any suggestions on how this can work better? Or how can I get the ISAKMP to drop the peer when the connection goes dead? Thanks.
02-07-2014 05:50 PM
Modified the scripts on the strongSwan side. Although the DPD timers were set low, the problem was with our scipts. Changed them as follows when they the host detects the tunnel as being down or wants to take the tunnel down.
ipsec down tunnel
ipsec up tunnel
This gives better performance and reconnects are much faster.