[strongSwan] How to test DPD

Tue Jun 22 19:04:15 CEST 2010

We test DPD by temporarily blocking the network connection between
the peers by inserting an iptables DROP rule in the firewall
and then wait until DPD has dropped the connection for sure
and then enabling it again:

moon# ipsec statusall | grep 'rw.*INSTALLED' [YES]
           rw{1}:  INSTALLED, TUNNEL, ESP SPIs: c027534b_i c1470ab0_o

moon# iptables -A INPUT -i eth0 -s 192.168.0.100 -j DROP

carol# iptables -A INPUT -i eth0 -s 192.168.0.1 -j DROP

carol# sleep 180

carol# cat /var/log/daemon.log | grep 'sending DPD request' [YES]
May  2 23:15:38 carol charon: 02[IKE] sending DPD request

carol# cat /var/log/daemon.log | grep 'retransmit.*of request' [YES]
May  2 23:15:42 carol charon: 09[IKE] retransmit 1 of request with 
message ID 2
May  2 23:15:49 carol charon: 14[IKE] retransmit 2 of request with 
message ID 2
May  2 23:16:02 carol charon: 15[IKE] retransmit 3 of request with 
message ID 2
May  2 23:16:25 carol charon: 01[IKE] retransmit 4 of request with 
message ID 2
May  2 23:17:07 carol charon: 14[IKE] retransmit 5 of request with 
message ID 2
May  2 23:18:27 carol charon: 14[IKE] retransmit 1 of request with 
message ID 0

carol# cat /var/log/daemon.log | grep 'giving up after 5 retransmits' [YES]
May  2 23:18:23 carol charon: 13[IKE] giving up after 5 retransmits

carol# iptables -D INPUT -i eth0 -s 192.168.0.1 -j DROP

moon# iptables -D INPUT -i eth0 -s 192.168.0.100 -j DROP

carol# sleep 10

carol# ipsec statusall | grep 'home.*INSTALLED' [YES]
         home{2}:  INSTALLED, TUNNEL, ESP SPIs: c78419d4_i c7edebd7_o

moon# ipsec statusall | grep 'rw.*INSTALLED' [YES]
           rw{2}:  INSTALLED, TUNNEL, ESP SPIs: c7edebd7_i c78419d4_o

Regards

Andreas

On 22.06.2010 18:01, Dhanavel P wrote:
> Hi All,
>       I am trying to establish Host to Host DPD connection.
>
> I added the following in the ipsec.conf file (in both Moon and Sun)
>
>            dpdaction=restart
>            dpddelay=5
>            dpdtimeout=10
>
> After that I start IPsec and establish connection by ipsec up
> <connection name> .
> The output is like DPD connection established and there is no error...
>
> Kindly help me out,how to test and verify this setup ..
> what are the steps that i have to followed for testing...........
>
> Thanks in Advance
>
> Regards,
> Dhanavel

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3430 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100622/dfe6569c/attachment.bin>