How to Configure strongSwan VPN Clients for Automatic Reconnection When Server is Down


4 views

When working with strongSwan VPN clients in production environments, maintaining persistent connections is crucial. The default configuration often doesn't handle server outages gracefully, requiring manual intervention to reestablish connections.

To enable automatic reconnection, we need to modify the ipsec.conf file with specific parameters that control reconnection behavior:

conn %default
    ike=aes256gcm16-sha384-modp3072!
    esp=aes256gcm16-sha384-modp3072!
    keyingtries=%forever
    rekey=no
    reauth=no
    dpddelay=30s
    dpdtimeout=120s
    dpdaction=restart

conn ikev2
    auto=start
    leftid=client@my-vpn.com
    leftsourceip=%config
    leftauth=eap-tls
    leftcert=vpn-client.crt
    right=my-vpn.com
    rightid=my-vpn.com
    rightsubnet=0.0.0.0/0
    rightauth=pubkey

keyingtries=%forever: This tells strongSwan to keep attempting to establish the connection indefinitely rather than giving up after the default 3 attempts.

DPD settings: The Dead Peer Detection configuration (dpddelay, dpdtimeout, dpdaction) helps the client detect when the server becomes unresponsive and triggers automatic reconnection.

For more control over the reconnection behavior, consider these additional parameters:

conn ikev2
    # ... existing parameters ...
    closeaction=restart
    retransmit-timeout=3s
    retransmit-tries=10

To monitor the reconnection attempts, configure logging in strongSwan:

charon {
    filelog {
        /var/log/strongswan.log {
            time_format = %b %e %T
            default = 2
            flush_line = yes
        }
    }
}

Ensure the strongSwan service is configured to restart automatically:

[Unit]
Description=strongSwan IPsec IKEv2 daemon
After=syslog.target network-online.target

[Service]
ExecStart=/usr/libexec/ipsec/starter --daemon charon --nofork
Restart=always
RestartSec=5s

[Install]
WantedBy=multi-user.target

Simulate a server outage to verify the automatic reconnection:

# Monitor connection status
ipsec statusall

# Force a disconnection (on server)
ipsec down ikev2

# Check client logs for reconnection attempts
tail -f /var/log/strongswan.log

When deploying strongSwan VPN clients, maintaining uninterrupted connectivity is crucial for production environments. The default configuration doesn't automatically handle server downtime elegantly - clients typically give up after initial connection attempts. Here's how to engineer persistent reconnection behavior.

The key to auto-reconnect lies in these essential ipsec.conf parameters:

conn %default
    keyexchange=ikev2
    ike=aes256gcm16-sha384-modp3072!
    esp=aes256gcm16-sha384-modp3072!
    # Persistent connection settings
    keyingtries=%forever
    rekey=no
    dpddelay=30
    dpdtimeout=120
    dpdaction=restart

Here's a complete working configuration for an EAP-TLS client with auto-reconnect:

conn ikev2-persistent
    auto=start
    leftid=client@my-vpn.com
    leftsourceip=%config
    leftauth=eap-tls
    leftcert=vpn-client.crt
    right=my-vpn.com
    rightid=my-vpn.com
    rightsubnet=0.0.0.0/0
    rightauth=pubkey
    # Connection resilience
    keyingtries=%forever
    dpdaction=restart
    dpddelay=30s
    dpdtimeout=120s
    closeaction=restart
    # Optional aggressive mode for faster reconnects
    aggressive=no

For mission-critical deployments, consider these additional settings:

# In ipsec.conf
config setup
    # Decrease retransmit timeouts
    charondebug="ike 2, cfg 2"
    uniqueids=no
    # Connection retry intervals
    retransmit-timeout=3s
    retransmit-tries=10
    retransmit-base=1.8

Ensure the strongSwan service automatically restarts:

# /etc/systemd/system/ipsec.service.d/override.conf
[Service]
Restart=always
RestartSec=5s
StartLimitInterval=0

Use these commands to verify your configuration:

ipsec statusall
journalctl -u strongswan -f
ipsec reload