}
[/code]
Have found suspicious behavior on the L2TP/IPSEC firewall - configuration with RADIUS authentication does not clear dead IPSEC tunnels.
More or less same configuration without RADIUS clears tunnels without problem.
Problem seems in IPSEC dead tunnels, I recalled it is very old problem.
~$ show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
------------- ------- -------- -------------- ---------------- ---------------- ------------- ------------------------
remote-access up 1h41m35s 3M/3M 32K/31K <external IP1> 192.168.1.43 AES_CBC_256/HMAC_SHA1_96
remote-access up 1h54m59s 1M/2M 14K/13K <external IP2> 192.168.0.100 AES_CBC_256/HMAC_SHA1_96
Such tunnels could hung for 1/2/3 days and prevent the relogin from the same IP address.
cron task at night clears non-active tunnels.
But I expected deap-peer-action clear did so.
So, I think dead-peer-detection should solve this issue, isn’t it?
Can you disable this cron-rule and check sudo swanctl -l whet it happened?
ps:// Please mark your public ip addresses.
Hi @hook.ua, it looks like the IPSec session alive because Win clients do not support DPD. And IPSec session should be dropped on rekeying only.
I can confirm that this does not happen when client Mac OS X.
In VyOS logs you can find the following output
charon[5798]: 08[IKE] DPD not supported by peer, disabled
Yes, I would confirm - mentioned string present in log for almost every windows client connection.
So, it seems, nightly reset of IPSEC/VPN is descent solution in windows-rich environment.