<div dir="ltr">Hi<div><br></div><div><br></div><div>Are these below not dpd-keepalive informational messages?....i think dpd-keepalive is being exchanged between the peers...</div><div><br></div><div>=========================</div><div><span style="font-size:12.8px">1[IKE] peer supports MOBIKE Jan 12 08:34:15 strongswan charon: 06[IKE] sending DPD request Jan 12 08:34:15 strongswan charon: 06[ENC] generating INFORMATIONAL request 2 [ ] Jan 12 08:34:15 strongswan charon: 06[NET] sending packet: from 10.127.47.104[4500] to 10.104.108.110[4500] (80 bytes) Jan 12 08:34:15 strongswan charon: 15[NET] received packet: from 10.104.108.110[4500] to 10.127.47.104[4500] (80 bytes) Jan 12 08:34:15 strongswan charon: 15[ENC] parsed INFORMATIONAL response 2 [ ] Jan 12 08:34:20 strongswan charon: 05[IKE] sending DPD request Jan 12 08:34:20 strongswan charon: 05[ENC] generating INFORMATIONAL request 3 [ ] Jan 12 08:34:20 strongswan charon: 05[NET] sending packet: from 10.127.47.104[4500] to 10.104.108.110[4500] (80 bytes) Jan 12 08:34:20 strongswan charon: 07[NET] received packet: from 10.104.108.110[4500] to 10.127.47.104[4500] (80 bytes) Jan 12 08:34:20 strongswan charon: 07[ENC] parsed INFORMATIONAL response 3 [ ]</span><br></div><div><span style="font-size:12.8px">===============================</span></div><div><span style="font-size:12.8px"><br></span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Jan 14, 2018 at 10:42 PM, Kalyani Garigipati (kagarigi) <span dir="ltr"><<a href="mailto:kagarigi@cisco.com" target="_blank">kagarigi@cisco.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
Could someone reply on this please<br>
<br>
Regards,<br>
Kalyani<br>
<br>
-----Original Message-----<br>
From: Users [mailto:<a href="mailto:users-bounces@lists.strongswan.org">users-bounces@lists.<wbr>strongswan.org</a>] On Behalf Of Kalyani Garigipati (kagarigi)<br>
Sent: Friday, January 12, 2018 5:22 PM<br>
To: Andreas Steffen <<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.<wbr>org</a>>; bls s <<a href="mailto:blscl@outlook.com">blscl@outlook.com</a>>; <a href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a><br>
Subject: Re: [strongSwan] dpd not getting triggered<br>
<br>
Hi Andreas,<br>
<br>
Sorry the message came unformatted.<br>
<br>
Basically the message is going without nat payloads<br>
<br>
generating INFORMATIONAL request 3 []<br>
<br>
please let me know if I have to enable something. I already enabled mobike.<br>
<br>
regards,<br>
kalyani<br>
<br>
<br>
<br>
<br>
-----Original Message-----<br>
From: Users [mailto:<a href="mailto:users-bounces@lists.strongswan.org">users-bounces@lists.<wbr>strongswan.org</a>] On Behalf Of Kalyani Garigipati (kagarigi)<br>
Sent: Friday, January 12, 2018 4:14 PM<br>
To: Andreas Steffen <<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.<wbr>org</a>>; bls s <<a href="mailto:blscl@outlook.com">blscl@outlook.com</a>>; <a href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a><br>
Subject: Re: [strongSwan] dpd not getting triggered<br>
<br>
Hi Andreas,<br>
<br>
But I observed that even though I enabled mobike, dpd is not sending the NAT detection payload.<br>
<br>
Below are the logs. I am using strongswan-5.6.1<br>
<br>
charon: 08[NET] sending packet: from 10.127.47.104[500] to 10.104.108.110[500] (524 bytes) Jan 12 08:34:10 strongswan charon: 10[NET] received packet: from 10.104.108.110[500] to 10.127.47.104[500] (471 bytes) Jan 12 08:34:10 strongswan charon: 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) V ] Jan 12 08:34:10 strongswan charon: 10[IKE] received Cisco Delete Reason vendor ID Jan 12 08:34:10 strongswan charon: 10[IKE] received Cisco Copyright (c) 2009 vendor ID Jan 12 08:34:10 strongswan charon: 10[IKE] received FRAGMENTATION vendor ID Jan 12 08:34:10 strongswan charon: 10[IKE] received 1 cert requests for an unknown ca Jan 12 08:34:10 strongswan charon: 10[IKE] sending cert request for "C=US, O=Cisco, CN=<a href="http://BrianMojaveRoot.cisco.com" rel="noreferrer" target="_blank">BrianMojaveRoot.cisco.com</a>, CN=<a href="http://BrianMojaveRoot.cisco.com" rel="noreferrer" target="_blank">BrianMojaveRoot.cisco.com</a>"<br>
Jan 12 08:34:10 strongswan charon: 10[IKE] authentication of '10.127.47.104' (myself) with pre-shared key Jan 12 08:34:10 strongswan charon: 10[IKE] establishing CHILD_SA net-net{1} Jan 12 08:34:10 strongswan charon: 10[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] Jan 12 08:34:10 strongswan charon: 10[NET] sending packet: from 10.127.47.104[4500] to 10.104.108.110[4500] (528 bytes) Jan 12 08:34:10 strongswan charon: 11[NET] received packet: from 10.104.108.110[4500] to 10.127.47.104[4500] (256 bytes) Jan 12 08:34:10 strongswan charon: 11[ENC] parsed IKE_AUTH response 1 [ V IDr AUTH SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) N(MOBIKE_SUP) ] Jan 12 08:34:10 strongswan charon: 11[IKE] authentication of '10.104.108.110' with pre-shared key successful Jan 12 08:34:10 strongswan charon: 11[IKE] IKE_SA net-net[1] established between 10.127.47.104[10.127.47.104]..<wbr>.10.104.108.110[10.104.108.<wbr>110]<br>
Jan 12 08:34:10 strongswan charon: 11[IKE] scheduling reauthentication in 5093s Jan 12 08:34:10 strongswan charon: 11[IKE] maximum IKE_SA lifetime 5573s Jan 12 08:34:10 strongswan charon: 11[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Jan 12 08:34:10 strongswan charon: 11[IKE] CHILD_SA net-net{1} established with SPIs c6fbf7d4_i 775e9cde_o and TS <a href="http://10.127.47.104/32" rel="noreferrer" target="_blank">10.127.47.104/32</a> === <a href="http://10.104.108.110/32" rel="noreferrer" target="_blank">10.104.108.110/32</a> Jan 12 08:34:10 strongswan charon: 11[IKE] peer supports MOBIKE Jan 12 08:34:15 strongswan charon: 06[IKE] sending DPD request Jan 12 08:34:15 strongswan charon: 06[ENC] generating INFORMATIONAL request 2 [ ] Jan 12 08:34:15 strongswan charon: 06[NET] sending packet: from 10.127.47.104[4500] to 10.104.108.110[4500] (80 bytes) Jan 12 08:34:15 strongswan charon: 15[NET] received packet: from 10.104.108.110[4500] to 10.127.47.104[4500] (80 bytes) Jan 12 08:34:15 strongswan charon: 15[ENC] parsed INFORMATIONAL response 2 [ ] Jan 12 08:34:20 strongswan charon: 05[IKE] sending DPD request Jan 12 08:34:20 strongswan charon: 05[ENC] generating INFORMATIONAL request 3 [ ] Jan 12 08:34:20 strongswan charon: 05[NET] sending packet: from 10.127.47.104[4500] to 10.104.108.110[4500] (80 bytes) Jan 12 08:34:20 strongswan charon: 07[NET] received packet: from 10.104.108.110[4500] to 10.127.47.104[4500] (80 bytes) Jan 12 08:34:20 strongswan charon: 07[ENC] parsed INFORMATIONAL response 3 [ ]<br>
<br>
Regards,<br>
Kalyani<br>
<br>
-----Original Message-----<br>
From: Andreas Steffen [mailto:<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@<wbr>strongswan.org</a>]<br>
Sent: Friday, January 12, 2018 2:46 PM<br>
To: Kalyani Garigipati (kagarigi) <<a href="mailto:kagarigi@cisco.com">kagarigi@cisco.com</a>>; bls s <<a href="mailto:blscl@outlook.com">blscl@outlook.com</a>>; <a href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a><br>
Subject: Re: [strongSwan] dpd not getting triggered<br>
<br>
Hi Kalyani,<br>
<br>
strongSwan uses NAT detection payloads in INFORMATIONAL messages with RFC 4555 MOBIKE which is enabled by default. See<br>
<br>
<a href="https://tools.ietf.org/html/rfc4555#section-3.8" rel="noreferrer" target="_blank">https://tools.ietf.org/html/<wbr>rfc4555#section-3.8</a><br>
<br>
Regards<br>
<br>
Andreas<br>
<br>
On 12.01.2018 07:16, Kalyani Garigipati (kagarigi) wrote:<br>
> Hi,<br>
><br>
> <br>
><br>
> Thanks a lot for the reply. It worked. I see the dpd triggering now.<br>
><br>
> <br>
><br>
> I am working on a case when dpd from strongswan sends the nat<br>
> detection payloads.<br>
><br>
> I wanted to know upon which conditions strongswan would send dpd<br>
> request with nat_detection_src_ip and nat_detection_dst_ip.<br>
><br>
> <br>
><br>
> Is it done only in specific case like when strongswan is behind the<br>
> nat ? and strongswan is in remote-access-client ?<br>
><br>
> <br>
><br>
> Regards,<br>
><br>
> kalyani<br>
><br>
> <br>
><br>
> *From:*bls s [mailto:<a href="mailto:blscl@outlook.com">blscl@outlook.com</a>]<br>
> *Sent:* Friday, January 12, 2018 6:40 AM<br>
> *To:* Kalyani Garigipati (kagarigi) <<a href="mailto:kagarigi@cisco.com">kagarigi@cisco.com</a>>;<br>
> <a href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a><br>
> *Subject:* RE: [strongSwan] dpd not getting triggered<br>
><br>
> <br>
><br>
> By default dpdaction=none, which disables sending dpd messages.<br>
><br>
> <br>
><br>
> *From: *Kalyani Garigipati (kagarigi) <mailto:<a href="mailto:kagarigi@cisco.com">kagarigi@cisco.com</a>><br>
> *Sent: *Thursday, January 11, 2018 10:47 AM<br>
> *To: *<a href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a> <mailto:<a href="mailto:users@lists.strongswan.org">users@lists.<wbr>strongswan.org</a>><br>
> *Subject: *[strongSwan] dpd not getting triggered<br>
><br>
> <br>
><br>
> Hi,<br>
><br>
> I am using strongswan version 5.6.1<br>
> I found that even though I configured dpd using dpddelay and<br>
> dpdtimeout, dpd is not getting triggered from strongswan client at all<br>
> even though there is no traffic passing.<br>
> Please let me know how to debug this.<br>
><br>
><br>
> config setup<br>
> charondebug=all<br>
> # crlcheckinterval=600<br>
> # strictcrlpolicy=yes<br>
> # cachecrls=yes<br>
> # nat_traversal=yes<br>
> # charonstart=no<br>
><br>
> conn %default<br>
> ikelifetime=100m<br>
> keylife=20m<br>
> rekeymargin=8m<br>
> keyingtries=1<br>
> authby=psk<br>
> keyexchange=ikev2<br>
> ike=aes256-sha256-modp1024<br>
> esp=3des-sha1<br>
> mobike=yes<br>
> dpddelay=5s<br>
> dpdtimeout=150s<br>
><br>
> # Add connections here.<br>
><br>
> # Add connections here.<br>
> conn net-net<br>
> left=10.127.47.104<br>
> leftsubnet=<a href="http://10.127.47.104/32" rel="noreferrer" target="_blank">10.127.47.104/32</a><br>
> leftid=10.127.47.104<br>
> right=10.104.108.110<br>
> rightsubnet=<a href="http://10.104.108.110/32" rel="noreferrer" target="_blank">10.104.108.110/32</a><br>
> rightid=10.104.108.110<br>
> auto=start<br>
><br>
> ~<br>
> Regards,<br>
> kalyani<br>
><br>
<br>
--<br>
==============================<wbr>==============================<wbr>==========<br>
Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
strongSwan - the Open Source VPN Solution! <a href="http://www.strongswan.org" rel="noreferrer" target="_blank">www.strongswan.org</a><br>
Institute for Networked Solutions<br>
HSR University of Applied Sciences Rapperswil<br>
CH-8640 Rapperswil (Switzerland)<br>
==============================<wbr>=============================[<wbr>INS-HSR]==<br>
<br>
</blockquote></div><br></div>