[strongSwan-dev] Help needed on Dead peer detection

bhashkar prakash singh singh.bhashkar at gmail.com
Tue Feb 17 03:35:33 CET 2015 

Hi,

I am using strongswan in my project. I need some help on Dead peer
detection(DPD).
In my Software, when Dead peer is detected, an alarm is thrown. 'dpdtimeout
= 120s and depdelay=10s' is set in IPSec.conf file.

Initially IPSec tunnel between my device and gateway is established
properly and packets can
flow between them. Then After some time I disable the physical interface on
my device, so after dpdtimeout = 120s, Dead peer
should be detected and alarm should be thrown. But I observe Dead peer
detection is taking more than 180 seconds. Around after
190 seconds, Dead peer is detected and alarm is thrown. Can someone help,
why is it taking  more then 120 seconds to detect Dead peer.

Thank you very much in advance.

*IPSec policy configuration on device:*

config setup
  plutostart=yes
  plutodebug=none
  nat_traversal=no
  uniqueids=no
  charonstart=yes
  charondebug="dmn 1, mgr 1, ike 0, chd 1, job 0, cfg 0, knl 0, net 0, enc
-1, lib -1"

conn %default
  auto=start
  pfs=no
  forceencaps=no
  keyingtries=%forever
  mobike=no
conn conn1
  type=tunnel
  leftsubnet=10.10.10.12/24
  rightsubnet=10.10.10.7/24
  left=10.10.10.12
  right=10.10.10.7
  keyexchange=ikev2
  reauth=no
  ike=aes128-sha1-modp1024,3des-sha1-modp1024!
  ikelifetime=83376s
  esp=aes128-sha1,3des-sha1!
  authby=pubkey
  rightid=%any
  keylife=86400s
  dpdaction=restart
  dpddelay=10s
  dpdtimeout=120s
  leftcert=/etc/ipsec.d/certs/btsCert.pem
  rekeyfuzz=50%
  rekeymargin=180s

============================================================
*IPSec Configuration on gateway:*

config setup
  plutostart=yes
  plutodebug=none
  nat_traversal=no
  uniqueids=no
  charonstart=yes
  charondebug="dmn 1, mgr 1, ike 0, chd 1, job 0, cfg 0, knl 0, net 0, enc
-1,
l
ib -1"

conn %default
  auto=start
  pfs=no
  forceencaps=no
  keyingtries=%forever
  mobike=no

conn conn1
  type=tunnel
  leftsubnet=10.10.10.7/24
  rightsubnet=10.10.10.12/24
  left=10.10.10.7
  right=10.10.10.12
  keyexchange=ikev2
  reauth=no
  ike=aes128-sha1-modp1024,3des-sha1-modp1024!
  ikelifetime=83376s
  esp=aes128-sha1,3des-sha1!
  authby=pubkey
  rightid=%any
  keylife=300s
  dpdaction=restart
  dpddelay=10s
  dpdtimeout=120s
  leftcert=/etc/ipsec.d/certs/btsCert.pem
  rekeyfuzz=50%
  rekeymargin=180s

Regards,
Bhashkar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150217/848d99bc/attachment-0001.html>

More information about the Dev mailing list