1

I have 2 AWS regions I have connected using an OpenSWAN IPSec tunnel. This works great in our production environment but in our test environment where 1 of the regions has long periods of inactivity, the tunnel will go down and I have to SSH to the server and run sudo service network restart to get it running again.

I have seen vaguely alluded to elsewhere that by design IPSec will do this, but I can't see any hard and fast rules in any of the .conf files that specify any kind of tunnel timeout?

Is this just a feature of IPSec, can anyone point me to any OpenSWAN/IPSec documentation that explains this in depth as I can't find anything conclusive?

Also, based on this, is it best practice to have a cron job constantly pinging through the tunnel to keep it perpetually up?

Many Thanks,

1 Answer 1

2

Assuming you're using a setup similar to Openswan's ec2 example , try setting

lifetime=1800
rekey=yes 

but only on the initiating end. This will set SA expiry and renegotiate to every 30 minutes.

3
  • Thanks for your answer, I may have misunderstood something, but aren't the salifetime & rekey parameters enabled by default? Is this just purely to override the default lifetime of 8 hours to a shorter time span? Also; I am some-what confused as to how if the connection is already by default being renegotiated every 8 hours the drop is occuring?
    – Uberzen1
    Commented Feb 4, 2016 at 14:38
  • @Uberzen1 It's one of the first things I try when I have problems, usually with Ciscos on one end. Without logs and not knowing when the connections drop it's difficult to pinpoint. Does your live network share any gateways with your test network?
    – FoamyBeer
    Commented Feb 4, 2016 at 15:07
  • Not at all, they are completely segregated. I will try your suggestion, if its worked for you then perhaps it will for me!
    – Uberzen1
    Commented Feb 4, 2016 at 17:39

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .