<div dir="ltr"><div><div><div><div><div>Hi Tobias,<br><br></div>After customer added roam_events = no in config file,<br></div>problem still occurs on most of the tunnels.<br></div>It would seems MOBIKE tasks are not caused by interface up/down.<br></div><div>Can you tell what events can trigger activation of MOBIKE task?<br></div><div><br></div>I saw these in customer's syslog:<br></div><ul><li>sending DPD request</li><li>generating INFORMATIONAL request 0 [ N(NATD_S_IP) N(NATD_D_IP) ]</li><li>no route found to reach peer, MOBIKE update deferred</li></ul><p>I cannot reproduce such exchange in my lab. I got these logs:</p><ul><li>sending DPD request</li><li>activating IKE_DPD task (may come from my own debug prints)</li><li>generating INFORMATION request 0 [ ]</li><li>sending packet: from <server_add> to <client_addr><br></li></ul><p>Thanks,</p><p>Simon<br></p><p><br></p></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, May 5, 2017 at 2:20 AM, Tobias Brunner <span dir="ltr"><<a href="mailto:tobias@strongswan.org" target="_blank">tobias@strongswan.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Simon,<br>
<br>
> 1. Any guesses on how MOBIKE task get stuck and won't timeout? Should<br>
> there be on-going re-tries?<br>
<br>
Read the log.<br>
<br>
> 2. I think charon is still sending keepalive messages to the peers with<br>
> MOBIKE task active, but no DPD is sent. This behavior seems to create<br>
> the situation that tunnels stay connect but they are really dead long ago.<br>
<br>
Could be the daemon thinks there is no valid path to reach the peer, so<br>
it deferred sending any messages until the network connectivity changes<br>
(again check the log for details).<br>
<br>
> 3. Following Q2, DPD won't do any good because the MOBIKE task seems to<br>
> have higher priority then delete. Is this behavior fixed in 5.5 recently<br>
> (issues/1410)?<br>
<br>
That issue is related to IKEv1. The idea behind preferring MOBIKE tasks<br>
over others is that without a valid path to the peer there is no point<br>
in sending other messages and if the peer can't be reached, the MOBIKE<br>
exchange, whether it is an update or a DPD, will trigger the DPD action<br>
anyway.<br>
<br>
> 4. I need to support remote devices doing MOBIKE switch but I don't want<br>
> the VPN server in the office to perform MOBIKE switch. It is futile.<br>
> There is no secondary internet interface to switch to. Chaos ensure when<br>
> charon tries to find alternate paths on a 1000 tunnels.<br>
<br>
The MOBIKE task does not necessarily mean that this is an actual MOBIKE<br>
update. With MOBIKE enabled between two peers DPDs are also handled by<br>
these tasks.<br>
<br>
> Can development team<br>
> members point out where I can tweak the source code to silently ignore<br>
> MOBIKE jobs? If I put mobike=no in ipsec.conf I think remote peers won't<br>
> be able to do MOBIKE switch.<br>
<br>
If the MOBIKE task is actually triggered by a network change you can<br>
avoid that by disabling charon.plugins.kernel-netlink.<wbr>roam_events.<br>
<br>
Regards,<br>
Tobias<br>
<br>
</blockquote></div><br></div>