3

Here’s my current ipsec.conf.

What do I need to change to make sure the client retries connecting to server indefinitely.

$ cat /etc/ipsec.conf

conn %default
    ike=aes256gcm16-sha384-modp3072!
    esp=aes256gcm16-sha384-modp3072!

conn ikev2
    auto=start
    dpdaction=restart
    closeaction=restart
    keyingtries=%forever
    leftid=client@my-vpn.com
    leftsourceip=%config
    leftauth=eap-tls
    leftcert=vpn-client.crt
    right=159.203.26.109
    rightid=my-vpn.com
    rightsubnet=0.0.0.0/0
    rightauth=pubkey
sunknudsen
  • 701
  • 3
  • 14
  • 28
  • 1
    Read the logs for details. Generally, there are fatal errors that will cause the client not to reconnect (e.g. authentication or proposal errors). You'd need an external monitoring tool to reconnect (or use _auto=route_, but use _dpd/closeaction=clear_ or _reauth=no_ in that case). Proposal errors can occur if the server has the config not loaded yet when the client tries to reconnect, so alternatively, it might be possible to close the IKE ports on the server during the restart and open them once the config is loaded. – ecdsa May 04 '20 at 07:06
  • 1
    @ecdsa Oh, so if a fatal error is thrown, the client will stop trying to reconnect? If so, that means that if the server reboots, there is a good chance the client will hit that edge case and stop reconnecting. I must be missing something... there is no built-in mechanism to make sure always-up connections between client and server are maintained even if either goes down and comes back up? – sunknudsen May 04 '20 at 12:04
  • Other than _auto=route_, no, currently not. – ecdsa May 04 '20 at 14:27

1 Answers1

3

The following strategy makes sure the connection is always established.

$ vi /usr/local/sbin/monitor.sh
#!/bin/bash

if ipsec status | grep --quiet ESTABLISHED
then
  echo "strongSwan connection is established"
else
  echo "strongSwan connection is not established, restarting..."
  ipsec restart
fi

$ chmod +x /usr/local/sbin/monitor.sh

$ vi /etc/crontab
* * * * * root /usr/local/sbin/monitor.sh > /dev/null 2>&1 &
sunknudsen
  • 701
  • 3
  • 14
  • 28