Dead-peer-detection (IPSEC/L2TP with RADIUS on WIN2019 Server - part2)

Hi there,

Would you please point out configuration files responsible for processing below code

[code]vpn {
ipsec {
auto-update 60
ike-group IKE-1 {
close-action clear
dead-peer-detection {
action clear
interval 30
timeout 60
}

}

}
[/code]
Have found suspicious behavior on the L2TP/IPSEC firewall - configuration with RADIUS authentication does not clear dead IPSEC tunnels.
More or less same configuration without RADIUS clears tunnels without problem.

Thanks

Hi, this one /etc/ipsec.d/tunnels/remote-access

1 Like

Thanks, Dmitry.

It seems configuration is correct in both cases.
Even more, i’ve found the task on the working L2TP gateway arranged to restart the vpn every night

    task-scheduler {
        task reboot-vpn {
            crontab-spec "23 23 * * *"
            executable {
                path /config/scripts/reboot-vpn.sh
            }
        }
    }

Problem seems in IPSEC dead tunnels, I recalled it is very old problem.

~$ show vpn ipsec sa
Connection     State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID      Proposal
-------------  -------  --------  --------------  ----------------  ----------------  -------------  ------------------------
remote-access  up       1h41m35s  3M/3M           32K/31K           <external IP1>      192.168.1.43   AES_CBC_256/HMAC_SHA1_96
remote-access  up       1h54m59s  1M/2M           14K/13K           <external IP2>     192.168.0.100  AES_CBC_256/HMAC_SHA1_96

Such tunnels could hung for 1/2/3 days and prevent the relogin from the same IP address.
cron task at night clears non-active tunnels.
But I expected deap-peer-action clear did so.

Any idea/comment/feedback is welcome.

So, I think dead-peer-detection should solve this issue, isn’t it?
Can you disable this cron-rule and check sudo swanctl -l whet it happened?
ps:// Please mark your public ip addresses.

So, I think dead-peer-detection should solve this issue, isn’t it?

Yes, i just forgot about fix by task.
But it seems very old problem, since very previois version - half year ago or even more/

Can you disable this cron-rule and check sudo swanctl -l whet it happened?

It could be possible with next few days, because it very occational event.
Need collect some load activity from our workers.

ps:// Please mark your public ip addresses.

thanks, did it