2

I use strongswan for IKEV2 and IPSEC. And i don't know how to keep it updated, and running on change restart etc.

  1. For starting service i use:

    systemctl status strongswan

  2. Afer that i need to type

    ipsec up vpn

When 1 side was disconect from network or any other reason i need every time type ipsec up vpn...

Is any options to make some automatically updated?

Ubuntu 18

/etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn vpn
     compress=no
     type=tunnel
     keyexchange=ikev2
     ike=aes256-sha256-modp2048
     esp=aes256-sha256-modp2048
     ikelifetime = 24h
     lifetime = 30m
     dpddelay = 120s
     left=%any
     leftsourceip=%config
     leftcert=/etc/ipsec.d/certs/client1.crt
     leftid=client1@xxxxxxx
     leftfirewall=yes
     right=xxxxxxx
     rightsubnet=172.2.0.0/18
     rightid="CN=xxxxxxxx" 
     rightauth=eap-mschapv2
     auto=add
     eap_identity=%identity

One side is Mikrotik CCR other side is Ubuntu 18, both have IP without NAT traversal.

VPN work, i just need to know how to create automatic start on UBUNTU to start and keep VPN up if they reset or etc.

ONLINE TELEKOM
  • 21
  • 1
  • 4
  • I assume you are using `/etc/ipsec.conf` and **stroke** to configure **strongswan**. Can you add `/etc/ipsec.conf` to your question? Can you add more about the tunnel endpoints: are they both running Ubuntu? Do they both have a public IP or one is behind a NAT? That information will help to give a better suited answer. BTW: it is called IKE, not IKV. – Piotr P. Karwasz Dec 16 '19 at 21:17
  • its done @PiotrP.Karwasz – ONLINE TELEKOM Dec 16 '19 at 21:25

1 Answers1

3

I assume that strongswan starts on reboot, since you don't mention using systemctl start strongswan (the command you cite systemctl status strongswan just tells you whether the service is running). If that's not the case, you need to enable the service:

systemctl enable strongswan

In the conn section you need to specify what should strongswan do when it starts and when the remote peer closes the connection or dies. So add something like:

auto=start
dpdaction=hold
closeaction=hold

The meaning of the actions is explained in the manual page. Basically you want your tunnel to get up on server boot, while if the tunnel is closed intentionally (closeaction) or because of network problems (dpdaction) strongswan will install a trap that will try to bring it back next time it is needed, leaving time to the other peer to recover.

Piotr P. Karwasz
  • 5,748
  • 2
  • 11
  • 21