<div dir="ltr"><span style="font-family:arial,sans-serif;font-size:13px">Actually the output above happens ~30-60 minutes after phone disconnection.</span><div style="font-family:arial,sans-serif;font-size:13px"> </div><div style="font-family:arial,sans-serif;font-size:13px">

1. Right after I start ipsec daemon, with no clients connected I have:</div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px"><div>000 </div><div class="im">

<div>000 "L2TP": 212.25.51.133[212.25.51.133]:17/1701---212.25.51.1...%virtual[%any]:17/%any===?; unrouted; eroute owner: #0</div><div>000 "L2TP":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0</div>

<div>000 "L2TP":   dpd_action: clear; dpd_delay: 10s; dpd_timeout: 60s;</div><div>000 "L2TP":   policy: PSK+ENCRYPT+COMPRESS+DONTREKEY; prio: 32,32; interface: eth1; </div><div>000 "L2TP":   newest ISAKMP SA: #0; newest IPsec SA: #0; </div>

<div>000 </div></div></div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">2. When client is connected ( I can ssh the VPN gateway though the tunnel):</div>

<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px"><div>000 </div><div class="im"><div>000 "L2TP": 212.25.51.133[212.25.51.133]:17/1701---212.25.51.1...%virtual[%any]:17/%any===?; unrouted; eroute owner: #0</div>

<div>000 "L2TP":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0</div><div>000 "L2TP":   dpd_action: clear; dpd_delay: 10s; dpd_timeout: 60s;</div><div>000 "L2TP":   policy: PSK+ENCRYPT+COMPRESS+DONTREKEY; prio: 32,32; interface: eth1; </div>

<div>000 "L2TP":   newest ISAKMP SA: #0; newest IPsec SA: #0; </div></div><div>000 "L2TP"[2]: <a href="tel:212.25.51.133" value="+12122551133" target="_blank">212.25.51.133</a>:4500[212.25.51.133]:17/1701---212.25.51.1...213.226.63.139:2212[10.176.85.22]:17/0; erouted; eroute owner: #2</div>

<div class="im"><div>000 "L2TP"[2]:   ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0</div><div>000 "L2TP"[2]:   dpd_action: clear; dpd_delay: 10s; dpd_timeout: 60s;</div>

<div>000 "L2TP"[2]:   policy: PSK+ENCRYPT+COMPRESS+DONTREKEY; prio: 32,32; interface: eth1; </div></div><div>000 "L2TP"[2]:   newest ISAKMP SA: #1; newest IPsec SA: #2; </div><div class="im"><div>000 "L2TP"[2]:   IKE proposal: 3DES_CBC/HMAC_SHA1/MODP_1024</div>

</div><div>000 "L2TP"[2]:   ESP proposal: 3DES_CBC/HMAC_SHA1/<N/A></div><div>000 </div><div>000 #2: "L2TP"[2] <a href="http://213.226.63.139:2212/" target="_blank">213.226.63.139:2212</a> STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 1104s; newest IPSEC; eroute owner</div>

<div>000 #2: "L2TP"[2] <a href="http://213.226.63.139:2212/" target="_blank">213.226.63.139:2212</a> <a href="mailto:esp.7863510@213.226.63.139" target="_blank">esp.7863510@213.226.63.139</a> (606 bytes, 2s ago) <a href="mailto:esp.c639026f@212.25.51.133" target="_blank">esp.c639026f@212.25.51.133</a>(595 bytes, 2s ago); transport</div>

<div>000 #1: "L2TP"[2] <a href="http://213.226.63.139:2212/" target="_blank">213.226.63.139:2212</a> STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28793s; newest ISAKMP</div><div>000 </div>

</div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">3. After I disconnect the client, and waiting 9 minutes (just in case), I have:</div><div style="font-family:arial,sans-serif;font-size:13px">

<br></div><div style="font-family:arial,sans-serif;font-size:13px"><div>000 </div><div class="im"><div>000 "L2TP": 212.25.51.133[212.25.51.133]:17/1701---212.25.51.1...%virtual[%any]:17/%any===?; unrouted; eroute owner: #0</div>

<div>000 "L2TP":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0</div><div>000 "L2TP":   dpd_action: clear; dpd_delay: 10s; dpd_timeout: 60s;</div><div>000 "L2TP":   policy: PSK+ENCRYPT+COMPRESS+DONTREKEY; prio: 32,32; interface: eth1; </div>

<div>000 "L2TP":   newest ISAKMP SA: #0; newest IPsec SA: #0; </div></div><div>000 "L2TP"[2]: <a href="tel:212.25.51.133" value="+12122551133" target="_blank">212.25.51.133</a>:4500[212.25.51.133]:17/1701---212.25.51.1...213.226.63.139:2212[10.176.85.22]:17/0; erouted; eroute owner: #2</div>

<div class="im"><div>000 "L2TP"[2]:   ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0</div><div>000 "L2TP"[2]:   dpd_action: clear; dpd_delay: 10s; dpd_timeout: 60s;</div>

<div>000 "L2TP"[2]:   policy: PSK+ENCRYPT+COMPRESS+DONTREKEY; prio: 32,32; interface: eth1; </div></div><div>000 "L2TP"[2]:   newest ISAKMP SA: #1; newest IPsec SA: #2; </div><div class="im"><div>000 "L2TP"[2]:   IKE proposal: 3DES_CBC/HMAC_SHA1/MODP_1024</div>

</div><div>000 "L2TP"[2]:   ESP proposal: 3DES_CBC/HMAC_SHA1/<N/A></div><div>000 </div><div>000 #2: "L2TP"[2] <a href="http://213.226.63.139:2212/" target="_blank">213.226.63.139:2212</a> STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 489s; newest IPSEC; eroute owner</div>

<div>000 #2: "L2TP"[2] <a href="http://213.226.63.139:2212/" target="_blank">213.226.63.139:2212</a> <a href="mailto:esp.7863510@213.226.63.139" target="_blank">esp.7863510@213.226.63.139</a> (1106 bytes, 555s ago)<a href="mailto:esp.c639026f@212.25.51.133" target="_blank">esp.c639026f@212.25.51.133</a> (1079 bytes, 559s ago); transport</div>

<div>000 #1: "L2TP"[2] <a href="http://213.226.63.139:2212/" target="_blank">213.226.63.139:2212</a> STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28178s; newest ISAKMP</div><div>000 </div>

</div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">4. Without touching the phone or strongSwan I have now the following:<div><br></div><div><div class="im">

<div>000 </div><div>000 "L2TP": 212.25.51.133[212.25.51.133]:17/1701---212.25.51.1...%virtual[%any]:17/%any===?; unrouted; eroute owner: #0</div><div>000 "L2TP":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0</div>

<div>000 "L2TP":   dpd_action: clear; dpd_delay: 10s; dpd_timeout: 60s;</div><div>000 "L2TP":   policy: PSK+ENCRYPT+COMPRESS+DONTREKEY; prio: 32,32; interface: eth1; </div><div>000 "L2TP":   newest ISAKMP SA: #0; newest IPsec SA: #0; </div>

</div><div>000 "L2TP"[2]: <a href="tel:212.25.51.133" value="+12122551133" target="_blank">212.25.51.133</a>:4500[212.25.51.133]:17/1701---212.25.51.1...213.226.63.139:2212[10.176.85.22]:17/0; unrouted; eroute owner: #0</div>

<div class="im"><div>000 "L2TP"[2]:   ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0</div><div>000 "L2TP"[2]:   dpd_action: clear; dpd_delay: 10s; dpd_timeout: 60s;</div>

<div>000 "L2TP"[2]:   policy: PSK+ENCRYPT+COMPRESS+DONTREKEY; prio: 32,32; interface: eth1; </div><div>000 "L2TP"[2]:   newest ISAKMP SA: #1; newest IPsec SA: #0; </div><div>000 "L2TP"[2]:   IKE proposal: 3DES_CBC/HMAC_SHA1/MODP_1024</div>

<div>000 </div></div><div>000 #45: "L2TP"[2] <a href="http://213.226.63.139:2212/" target="_blank">213.226.63.139:2212</a> STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 6s</div><div>000 #1: "L2TP"[2] <a href="http://213.226.63.139:2212/" target="_blank">213.226.63.139:2212</a> STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 24742s; newest ISAKMP</div>

<div>000</div></div><div><br></div><div>It is worth mentioning, that when the tunnel is in state from paragraph 3 above, If I attempt to connect again with the same phone/same connection credentials the connection starts as usual, but then L2TP traffic didn't start over port 4500 as usual, but continue on 1701, and is not encrypted.</div>

</div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">There were no packet flow during this 9 minutes viewed with this command:</div><div style="font-family:arial,sans-serif;font-size:13px">

tcpdump -l -v -n -i eth1 port 500 or port 4500 or port 1701 or esp<br></div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">I have a working tunnel with StrongSwan version strongSwan 4.3.2, and in auth.log file I have the following references to DPD:</div>

<div><div><font face="arial, sans-serif">pluto[1346]: "q81" #12761: Dead Peer Detection (RFC 3706) enabled</font></div><div><span style="font-family:arial,sans-serif">pluto[1346]: </span><font face="arial, sans-serif">out_vendorid(): sending [Dead Peer Detection]<br>

</font></div><div><font face="arial, sans-serif">pluto[1346]: "q81" #12763: received Vendor ID payload [Dead Peer Detection]<br></font></div><div><font face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif">On the 4.5.2 the only reference in auth.log is:</font></div>

<div><font face="arial, sans-serif">pluto[7293]: "q81" #1: received Vendor ID payload [Dead Peer Detection]<br></font></div><div style="font-family:arial,sans-serif;font-size:13px"><br></div></div><div style="font-family:arial,sans-serif;font-size:13px">

I checked there is no compile time option for disabling DPD. Ubuntu 12.04 didn't provided any patches to disable DPD.</div><div style="font-family:arial,sans-serif;font-size:13px">Am I missing something.<br></div></div>

<div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Dec 20, 2012 at 7:04 AM, Andreas Steffen <span dir="ltr"><<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Dragomir,<br>
<br>
with your configuration DPD should work but your ipsec status<br>
shows with<div class="im"><br>
<br>
 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 39s<br>
<br></div>
that the IPsec connection has not been fully established and therefore<br>
no DPD payloads are sent.<br>
<br>
Regards<br>
<br>
Andreas<div class="im"><br>
<br>
On <a href="tel:20.12.2012%2000" value="+12012201200" target="_blank">20.12.2012 00</a>:01, Dragomir Ivanov wrote:<br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">
Hello,<br>
I have the following configuration for L2TP connection used by Android<br>
phone:<br>
<br>
config setup<br>
         plutostart=yes<br>
         plutodebug="control controlmore"<br>
         charonstart=yes<br>
         nocrsend=yes<br>
         nat_traversal=yes<br>
<br>
virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12" target="_blank">10.0.0.0/<u></u>8,%v4:192.168.0.0/16,%v4:172.<u></u>16.0.0/12</a><br></div>
<<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12" target="_blank">http://10.0.0.0/8,%v4:192.<u></u>168.0.0/16,%v4:172.16.0.0/12</a>><div><div class="h5"><br>
<br>
conn %default<br>
         ikelifetime=60m<br>
         keylife=20m<br>
         rekeymargin=3m<br>
         keyingtries=%forever<br>
         authby=secret<br>
         mobike=no<br>
<br>
<br>
conn L2TP<br>
         authby=secret<br>
         auto=add<br>
         rekey=no<br>
         pfs=no<br>
         type=transport<br>
         forceencaps=yes<br>
         compress=yes<br>
         left=<a href="tel:212.25.51.133" value="+12122551133" target="_blank">212.25.51.133</a><br>
         leftnexthop=212.25.51.1<br>
         leftprotoport=17/1701<br>
         right=%any<br>
         rightprotoport=17/%any<br>
         rightsubnet=vhost:%no,%priv<br>
         keyexchange=ikev1<br>
         dpdaction=clear<br>
         dpdtimeout=60<br>
         dpddelay=10<br>
<br>
Phone connects OK. But when phone is disconnected, SA stays<br>
indefinitely. With my configuration it should remove SA association in<br>
60seconds or so, but it stays like this:<br>
<br>
000 "L2TP":<br>
212.25.51.133[212.25.51.133]:<u></u>17/1701---212.25.51.1...%<u></u>virtual[%any]:17/%any===?;<br>
unrouted; eroute owner: #0<br>
000 "L2TP":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s;<br>
rekey_fuzz: 100%; keyingtries: 0<br>
000 "L2TP":   dpd_action: clear; dpd_delay: 10s; dpd_timeout: 60s;<br>
000 "L2TP":   policy: PSK+ENCRYPT+COMPRESS+<u></u>DONTREKEY; prio: 32,32;<br>
interface: eth1;<br>
000 "L2TP":   newest ISAKMP SA: #0; newest IPsec SA: #0;<br>
000 "L2TP"[2]:<br>
<a href="tel:212.25.51.133" value="+12122551133" target="_blank">212.25.51.133</a>:4500<a href="tel:%5B212.25.51.133" value="+12122551133" target="_blank">[212.25.51.133</a>]:17/1701---212.25.51.1..<u></u>.213.226.63.142:33677[10.181.<u></u>105.171]:17/0;<br>


unrouted; eroute owner: #0<br>
000 "L2TP"[2]:   ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s;<br>
rekey_fuzz: 100%; keyingtries: 0<br>
000 "L2TP"[2]:   dpd_action: clear; dpd_delay: 10s; dpd_timeout: 60s;<br>
000 "L2TP"[2]:   policy: PSK+ENCRYPT+COMPRESS+<u></u>DONTREKEY; prio: 32,32;<br>
interface: eth1;<br>
000 "L2TP"[2]:   newest ISAKMP SA: #1; newest IPsec SA: #0;<br>
000 "L2TP"[2]:   IKE proposal: 3DES_CBC/HMAC_SHA1/MODP_1024<br>
000<br></div></div>
000 #341: "L2TP"[2] <a href="http://213.226.63.142:33677" target="_blank">213.226.63.142:33677</a> <<a href="http://213.226.63.142:33677" target="_blank">http://213.226.63.142:33677</a>><div class="im"><br>


STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 39s<br></div>
000 #1: "L2TP"[2] <a href="http://213.226.63.142:33677" target="_blank">213.226.63.142:33677</a> <<a href="http://213.226.63.142:33677" target="_blank">http://213.226.63.142:33677</a>><div class="im"><br>


STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in<br>
3972s; newest ISAKMP<br>
<br>
When I look on tcpdump on udp ports 500/4500, I see no packets(DPD) from<br>
IPSec gateway, to remote device (Android).<br>
Is this a bug, or I have misconfigured something? Thank you.<br>
</div></blockquote>
<br>
==============================<u></u>==============================<u></u>==========<br>
Andreas Steffen                         <a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a><br>
strongSwan - the Linux VPN Solution!                <a href="http://www.strongswan.org" target="_blank">www.strongswan.org</a><br>
Institute for Internet Technologies and Applications<br>
University of Applied Sciences Rapperswil<br>
CH-8640 Rapperswil (Switzerland)<br>
==============================<u></u>=============================[<u></u>ITA-HSR]==<br>
<br>
</blockquote></div><br></div>