Why can't the IPSec tunnel come up after a reboot?

C

Caretaker2019-02-11 15:24:12

Debian

Caretaker, 2019-02-11 15:24:12

Hello community. Need help from experts.
According to the manual https://sysadmins.co.za/setup-a-site-to-site-ipsec... I set up a 2 to 1 connection (two servers to one node - connection is needed only with the node).

MAIN: X.X.X.X ; SRV1 : A.A.A.A ; SRV2 : B.B.B.B
A.A.A.A <=> X.X.X.X и B.B.B.B <=> X.X.X.X

Everything was done carefully according to the manual, and after the ipsec restart command on all machines, the tunnels are up, there is a connection, everything is fine ...
Problems appear after the server reboot, not only does the tunnel not rise, it’s not even enough to raise it to give the ipsec restart command only on a server that has been rebooted. It is required to give the same command on the "reciprocal part", and this leads to the fall of the remaining tunnels and, as a result, => run this command on all servers.
The syslog on this topic is somehow empty, I don’t understand what is the reason ... I would be grateful for any hint where to dig and what to look for the reason ...

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

C

Caretaker, 2019-02-11
@zuart

Addition. In the process of smoking manuals, I came across service values like %any and %opportunistic in the settings - this in some way led me to the question. If you need to add more servers, then after changing the settings on the main node, you will have to restart ipsec, which means breaking all open connections... Can these keywords help in this case? So that you do not need to configure and add blocks to ipsec.conf, but only add a line to ipsec.secrets and use the ipsec reload directive ?
I smoked several different manuals, including the original IPSec config manual + a small script with a cron-run every minute - checks the connection status, and if the status is not "connected" and not "connecting", restarts IPSec...
Everything works as it should, at least everything suits me ...