I am using Debian in a VM (Xen XT) to launch a strongSwan site to site tunnel to an Aruba controller. Works great and is very repeatable. Scipting handles the connections. Debian sees the network interface come up and launches strongSwan. Pretty sweet. The problem that I am seeing is that when the tunnel has become inactive for a time the strongSwan side closes the tunnel.
On the Aruba side when the strongSwan goes down I see the IPSEC SA go down or cease to exist. But I still see the ISAKMP side as active.
When the Debian VM comes alive and tried to launch the tunnel, is appears that the ISAMKP SA being active is causing the strongSwan attempt at a tunnel to fail. If I clear the isakmp sa, the strongSwan connects faster than I can type the command "show crypto ipsec sa". Since this is a test configuration is a working enterprise when the situation occurs I can login and clear ISAKMP, but I need this to be a hair more automated. I played with the DPD timer which is currently set at 30 seconds on both sides.
crypto-local isakmp dpd idle-timeout 30 retry-timeout 2 retry-attempts 3
Any suggestions on how this can work better? Or how can I get the ISAKMP to drop the peer when the connection goes dead? Thanks.