<div dir="ltr">Hi all,<div><br></div><div>I mailed this question a couple of weeks ago but not sure the right people saw it... Re-sending; I really hope someone can provide some indication of what's going on here!</div>
<div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><span style="font-family:arial,sans-serif;font-size:13px">I am using StrongSwan 5.1.1, and despite enabling DPD my SAs are not being cleared. I am probably misunderstanding what DPD is for, so I am hoping someone can clarify. Here's my scenario:</span><div style="font-family:arial,sans-serif;font-size:13px">
<br></div><div style="font-family:arial,sans-serif;font-size:13px">Two nodes, 10.0.0.1 and 10.0.0.2. Node 2 has the connection as auto=route so is responsible for its creation (Node 1 is auto=add).</div><div style="font-family:arial,sans-serif;font-size:13px">
<br></div><div style="font-family:arial,sans-serif;font-size:13px">If I hard power-cycle Node 1, the SA remains until the Child SA rekeys. I had thought I could get around this with DPD, so that it would detect Node 1 had no state for that connection and close it, thus triggering a re-establishment. But this is not working, despite having did configured it still waits until the Child SA rekeys naturally.</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">Shortly before this, the ipsec statusall looked like this:</div><div style="font-family:arial,sans-serif;font-size:13px">
<br></div><div style="font-family:arial,sans-serif;font-size:13px"><p style="margin:0px;font-size:11px;font-family:Menlo">node-10.0.0.1: 10.0.0.2...10.0.0.1 IKEv1/2, dpddelay=30s</p><p style="margin:0px;font-size:11px;font-family:Menlo">
node-10.0.0.1: local: [10.0.0.2] uses public key authentication</p><p style="margin:0px;font-size:11px;font-family:Menlo">node-10.0.0.1: remote: [10.0.0.1] uses public key authentication</p><p style="margin:0px;font-size:11px;font-family:Menlo">
node-10.0.0.1: child: dynamic === dynamic TRANSPORT, dpdaction=clear</p><p style="margin:0px;font-size:11px;font-family:Menlo">Routed Connections:</p><p style="margin:0px;font-size:11px;font-family:Menlo">node-10.0.0.1{1}: ROUTED, TRANSPORT</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">node-10.0.0.1{1}: <a href="http://10.0.0.2/32" target="_blank">10.0.0.2/32</a> === <a href="http://10.0.0.1/32" target="_blank">10.0.0.1/32</a> </p><p style="margin:0px;font-size:11px;font-family:Menlo">
Security Associations (1 up, 0 connecting):</p><p style="margin:0px;font-size:11px;font-family:Menlo">node-10.0.0.1[1]: ESTABLISHED 37 minutes ago, 10.0.0.2[10.0.0.2]...10.0.0.1[10.0.0.1]</p><p style="margin:0px;font-size:11px;font-family:Menlo">
node-10.0.0.1[1]: IKEv2 SPIs: 9863a6900108aca4_i* 4ef81353c656500c_r, rekeying in 2 hours</p><p style="margin:0px;font-size:11px;font-family:Menlo">node-10.0.0.1[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">node-10.0.0.1{1}: INSTALLED, TRANSPORT, ESP SPIs: ce050f88_i c5e9f676_o</p><p style="margin:0px;font-size:11px;font-family:Menlo">node-10.0.0.1{1}: AES_CBC_256/HMAC_SHA2_512_256, 401578 bytes_i (1200 pkts, 2201s ago), 1699348 bytes_o (5270 pkts, 1s ago), rekeying in 4 minutes</p>
<p style="margin:0px;font-size:11px;font-family:Menlo">node-10.0.0.1{1}: <a href="http://10.0.0.2/32" target="_blank">10.0.0.2/32</a> === <a href="http://10.0.0.1/32" target="_blank">10.0.0.1/32</a> </p></div><div style="font-family:arial,sans-serif;font-size:13px">
<br></div><div style="font-family:arial,sans-serif;font-size:13px">My ipsec.conf reads on Node 1:</div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">
<p style="margin:0px;font-size:11px;font-family:Menlo">config setup</p><p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p><p style="margin:0px;font-size:11px;font-family:Menlo">conn %default</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> left=10.0.0.1</p><p style="margin:0px;font-size:11px;font-family:Menlo"> leftcert=cert.pem</p><p style="margin:0px;font-size:11px;font-family:Menlo"> rightca=%same</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> reauth=no</p><p style="margin:0px;font-size:11px;font-family:Menlo"> type=transport</p><p style="margin:0px;font-size:11px;font-family:Menlo"> mobike=no</p>
<p style="margin:0px;font-size:11px;font-family:Menlo"> ike=aes256-sha512-modp4096!</p><p style="margin:0px;font-size:11px;font-family:Menlo"> esp=aes256-sha512-modp4096!</p><p style="margin:0px;font-size:11px;font-family:Menlo">
keyingtries=%forever</p><p style="margin:0px;font-size:11px;font-family:Menlo"> dpdaction=clear</p><p style="margin:0px;font-size:11px;font-family:Menlo"> dpddelay=30s</p><p style="margin:0px;font-size:11px;font-family:Menlo">
dpdtimeout=120s</p><p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p><p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px"><br></p><p style="margin:0px;font-size:11px;font-family:Menlo">
conn node-10.0.0.2</p><p style="margin:0px;font-size:11px;font-family:Menlo"> right=10.0.0.2</p><p style="margin:0px;font-size:11px;font-family:Menlo"> auto=add</p><p style="margin:0px;font-size:11px;font-family:Menlo;min-height:13px">
<br></p></div><div style="font-family:arial,sans-serif;font-size:13px">And on Node 2 it's auto=route pointing to 10.0.0.1 but otherwise the same.</div><div style="font-family:arial,sans-serif;font-size:13px"><br></div>
<div style="font-family:arial,sans-serif;font-size:13px">A tcpdump showed no IKE INFORMATIONAL messages being sent from Node 2. No charon logs in syslog existed in this time either. Can anybody please help me understand why DPD is not probing here? Or do I need some other setting?</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">Thanks in advance,</div><div style="font-family:arial,sans-serif;font-size:13px">Alan</div></div>
</div>