Project

General

Profile

Issue #1501

Updated by Tobias Brunner almost 6 years ago

Hello,

I established an ikev1 ipsec connection beetwen two strongswans. One side is configured as initiator and the second one is configured as responder.

The initiator ipsec.conf:
<pre>
conn ipsec1
left=192.168.7.110
right=192.168.7.120
leftauth=psk
rightauth=psk
leftsubnet=192.168.100.0/24
rightsubnet=192.168.1.0/24
leftfirewall=yes
keyexchange=ikev1
ikelifetime=3600
keylife=3600
rekeymargin=540
rekeyfuzz=100%
keyingtries=%forever
type=tunnel
auto=start
closeaction=restart
</pre>


The responder ispec.conf:
<pre>
conn ipsec1
left=192.168.7.120
right=%any
leftauth=psk
rightauth=psk
leftsubnet=192.168.1.0/24
rightsubnet=192.168.100.0/24
leftfirewall=yes
keyexchange=ikev1
ikelifetime=3600
keylife=3600
rekeymargin=540
rekeyfuzz=100%
keyingtries=%forever
type=tunnel
auto=add
</pre>


I found the following issue: IPsec tunnel is not automatically reestablished if the remote side is restarted, so manual action on the local side is required. Option closeaction=restart should be used in ipsec.conf in this case, but it is not recommended to use it with uniqueids=yes that is usually enabled. Unfortunatelly even closeaction=restart does not help if tunnel is downed and deleted on the remote side, because the remote side sends NO_PROPOSAL_CHOSEN and SA is permanently deleted on the local side too.

Many thanks for your help.

Back