I use strongswan for IKEV2 and IPSEC.
And i don't know how to keep it updated, and running on change restart etc.
-
For starting service i use:
systemctl status strongswan
-
Afer that i need to type
ipsec up vpn
When 1 side was disconect from network or any other reason i need every time type ipsec up vpn…
Is any options to make some automatically updated?
Ubuntu 18
/etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn vpn
compress=no
type=tunnel
keyexchange=ikev2
ike=aes256-sha256-modp2048
esp=aes256-sha256-modp2048
ikelifetime = 24h
lifetime = 30m
dpddelay = 120s
left=%any
leftsourceip=%config
leftcert=/etc/ipsec.d/certs/client1.crt
leftid=client1@xxxxxxx
leftfirewall=yes
right=xxxxxxx
rightsubnet=172.2.0.0/18
rightid="CN=xxxxxxxx"
rightauth=eap-mschapv2
auto=add
eap_identity=%identity
One side is Mikrotik CCR other side is Ubuntu 18, both have IP without NAT traversal.
VPN work, i just need to know how to create automatic start on UBUNTU to start and keep VPN up if they reset or etc.
Best Answer
I assume that strongswan starts on reboot, since you don't mention using
systemctl start strongswan
(the command you citesystemctl status strongswan
just tells you whether the service is running). If that's not the case, you need to enable the service:In the conn section you need to specify what should strongswan do when it starts and when the remote peer closes the connection or dies. So add something like:
The meaning of the actions is explained in the manual page. Basically you want your tunnel to get up on server boot, while if the tunnel is closed intentionally (closeaction) or because of network problems (dpdaction) strongswan will install a trap that will try to bring it back next time it is needed, leaving time to the other peer to recover.