Wondering if this or similar issues resolved. I'm having this problem with only 1 of my VPN connections so far. The timing, however, used to be 1 hour, but is more like 4-8 hours inconsistently after changing lifetime of the IPSec SA. who knows. But I found a StrongSWAN option that again, does not seem exposed in the Astaro GUI.
dpdaction controls the use of the Dead Peer Detection protocol
(DPD, RFC 3706) where R_U_THERE notification messages
(IKEv1) or empty INFORMATIONAL messages (IKEv2) are
periodically sent in order to check the liveliness of the
IPsec peer. The values clear, hold, and restart all
activate DPD. If no activity is detected, all connections
with a dead peer are stopped and unrouted ( clear ), put
in the hold state ( hold ) or restarted ( restart ). For
IKEv1, the default is none which disables the active
sending of R_U_THERE notifications. Nevertheless pluto
will always send the DPD Vendor ID during connection set
up in order to signal the readiness to act passively as a
responder if the peer wants to use DPD. For IKEv2, none
does’t make sense, since all messages are used to detect
dead peers. If specified, it has the same meaning as the
default ( clear ).
I would prefer to always set to RESTART for my things. But I'm betting that since Astaro might not be setting this, it's doing the CLEAR action. Further, the sad thing is that Dead Peer Detection is set at the entire router level in Astaro. However this option really is supposed to be at the connection level to be able to configure each one independently.
For now, I just turned off DPD for the entire router and going to see if that helps.
dpdaction controls the use of the Dead Peer Detection protocol
(DPD, RFC 3706) where R_U_THERE notification messages
(IKEv1) or empty INFORMATIONAL messages (IKEv2) are
periodically sent in order to check the liveliness of the
IPsec peer. The values clear, hold, and restart all
activate DPD. If no activity is detected, all connections
with a dead peer are stopped and unrouted ( clear ), put
in the hold state ( hold ) or restarted ( restart ). For
IKEv1, the default is none which disables the active
sending of R_U_THERE notifications. Nevertheless pluto
will always send the DPD Vendor ID during connection set
up in order to signal the readiness to act passively as a
responder if the peer wants to use DPD. For IKEv2, none
does’t make sense, since all messages are used to detect
dead peers. If specified, it has the same meaning as the
default ( clear ).
I would prefer to always set to RESTART for my things. But I'm betting that since Astaro might not be setting this, it's doing the CLEAR action. Further, the sad thing is that Dead Peer Detection is set at the entire router level in Astaro. However this option really is supposed to be at the connection level to be able to configure each one independently.
For now, I just turned off DPD for the entire router and going to see if that helps.