[strongSwan] How to test DPD
Andreas Steffen
andreas.steffen at strongswan.org
Tue Jun 22 19:04:15 CEST 2010
We test DPD by temporarily blocking the network connection between
the peers by inserting an iptables DROP rule in the firewall
and then wait until DPD has dropped the connection for sure
and then enabling it again:
moon# ipsec statusall | grep 'rw.*INSTALLED' [YES]
rw{1}: INSTALLED, TUNNEL, ESP SPIs: c027534b_i c1470ab0_o
moon# iptables -A INPUT -i eth0 -s 192.168.0.100 -j DROP
carol# iptables -A INPUT -i eth0 -s 192.168.0.1 -j DROP
carol# sleep 180
carol# cat /var/log/daemon.log | grep 'sending DPD request' [YES]
May 2 23:15:38 carol charon: 02[IKE] sending DPD request
carol# cat /var/log/daemon.log | grep 'retransmit.*of request' [YES]
May 2 23:15:42 carol charon: 09[IKE] retransmit 1 of request with
message ID 2
May 2 23:15:49 carol charon: 14[IKE] retransmit 2 of request with
message ID 2
May 2 23:16:02 carol charon: 15[IKE] retransmit 3 of request with
message ID 2
May 2 23:16:25 carol charon: 01[IKE] retransmit 4 of request with
message ID 2
May 2 23:17:07 carol charon: 14[IKE] retransmit 5 of request with
message ID 2
May 2 23:18:27 carol charon: 14[IKE] retransmit 1 of request with
message ID 0
carol# cat /var/log/daemon.log | grep 'giving up after 5 retransmits' [YES]
May 2 23:18:23 carol charon: 13[IKE] giving up after 5 retransmits
carol# iptables -D INPUT -i eth0 -s 192.168.0.1 -j DROP
moon# iptables -D INPUT -i eth0 -s 192.168.0.100 -j DROP
carol# sleep 10
carol# ipsec statusall | grep 'home.*INSTALLED' [YES]
home{2}: INSTALLED, TUNNEL, ESP SPIs: c78419d4_i c7edebd7_o
moon# ipsec statusall | grep 'rw.*INSTALLED' [YES]
rw{2}: INSTALLED, TUNNEL, ESP SPIs: c7edebd7_i c78419d4_o
Regards
Andreas
On 22.06.2010 18:01, Dhanavel P wrote:
> Hi All,
> I am trying to establish Host to Host DPD connection.
>
> I added the following in the ipsec.conf file (in both Moon and Sun)
>
> dpdaction=restart
> dpddelay=5
> dpdtimeout=10
>
> After that I start IPsec and establish connection by ipsec up
> <connection name> .
> The output is like DPD connection established and there is no error...
>
> Kindly help me out,how to test and verify this setup ..
> what are the steps that i have to followed for testing...........
>
> Thanks in Advance
>
> Regards,
> Dhanavel
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3430 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100622/dfe6569c/attachment.bin>
More information about the Users
mailing list