<div dir="ltr"><div>Hi all,</div><div><br></div>I am using StrongSwan 5.1.1, and despite enabling DPD my SAs are not being cleared. I am probably misunderstanding what DPD is for, so I am hoping someone can clarify. Here's my scenario:<div>
<br></div><div>Two nodes, 10.0.0.1 and 10.0.0.2. Node 2 has the connection as auto=route so is responsible for its creation (Node 1 is auto=add).</div><div><br></div><div>If I hard power-cycle Node 1, the SA remains until the Child SA rekeys. I had thought I could get around this with DPD, so that it would detect Node 1 had no state for that connection and close it, thus triggering a re-establishment. But this is not working, despite having did configured it still waits until the Child SA rekeys naturally.</div>
<div><br></div><div>Shortly before this, the ipsec statusall looked like this:</div><div><br></div><div><p style="margin:0px;font-size:11px;font-family:Menlo">node-10.0.0.1: 10.0.0.2...10.0.0.1 IKEv1/2, dpddelay=30s</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">node-10.0.0.1: local: [10.0.0.2] uses public key authentication</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">node-10.0.0.1: cert: "C=UK, ST=Berkshire, L=Reading, O=Pexip, CN=<a href="http://worker1.rd.pexip.com">worker1.rd.pexip.com</a>"</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">node-10.0.0.1: remote: [10.0.0.1] uses public key authentication</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">node-10.0.0.1: child: dynamic === dynamic TRANSPORT, dpdaction=clear</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">Routed Connections:</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">node-10.0.0.1{1}: ROUTED, TRANSPORT</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">node-10.0.0.1{1}: <a href="http://10.0.0.2/32">10.0.0.2/32</a> === <a href="http://10.0.0.1/32">10.0.0.1/32</a> </p>
<p style="margin:0px;font-size:11px;font-family:Menlo">Security Associations (1 up, 0 connecting):</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">node-10.0.0.1[1]: ESTABLISHED 37 minutes ago, 10.0.0.2[10.0.0.2]...10.0.0.1[10.0.0.1]</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">node-10.0.0.1[1]: IKEv2 SPIs: 9863a6900108aca4_i* 4ef81353c656500c_r, rekeying in 2 hours</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">node-10.0.0.1[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">node-10.0.0.1{1}: INSTALLED, TRANSPORT, ESP SPIs: ce050f88_i c5e9f676_o</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">node-10.0.0.1{1}: AES_CBC_256/HMAC_SHA2_512_256, 401578 bytes_i (1200 pkts, 2201s ago), 1699348 bytes_o (5270 pkts, 1s ago), rekeying in 4 minutes</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">node-10.0.0.1{1}: <a href="http://10.0.0.2/32">10.0.0.2/32</a> === <a href="http://10.0.0.1/32">10.0.0.1/32</a> </p></div><div><br></div><div>My ipsec.conf reads on Node 1:</div>
<div><br></div><div><p style="margin:0px;font-size:11px;font-family:Menlo">config setup</p>
<p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p>
<p style="margin:0px;font-size:11px;font-family:Menlo">conn %default</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> left=10.0.0.1</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> leftcert=cert.pem</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> rightca=%same</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> reauth=no</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> type=transport</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> mobike=no</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> ike=aes256-sha512-modp4096!</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> esp=aes256-sha512-modp4096!</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> keyingtries=%forever</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> dpdaction=clear</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> dpddelay=30s</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> dpdtimeout=120s</p>
<p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p>
<p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p>
<p style="margin:0px;font-size:11px;font-family:Menlo">conn node-10.0.0.2</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> right=10.0.0.2</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> auto=add</p>
<p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p></div><div>And on Node 2 it's auto=route pointing to 10.0.0.1 but otherwise the same.</div><div><br></div><div>A tcpdump showed no IKE INFORMATIONAL messages being sent from Node 2. No charon logs in syslog existed in this time either. Can anybody please help me understand why DPD is not probing here? Or do I need some other setting?</div>
<div><br></div><div>Thanks in advance,</div><div>Alan</div><div><br></div></div>