[strongSwan] DPD

Eduardo Torres Eduardo.Torres at alcatel-lucent.com
Wed May 19 17:18:13 CEST 2010 

Hi Martin,

The behavior I saw is that  5 retransmission in each retry. After 5 
retries IKE_SA changes from connecting to destroying

.......
May 19 10:00:42 linux1 charon: 15[IKE] giving up after 5 retransmits
May 19 10:00:42 linux1 charon: 15[IKE] peer not responding, trying again 
(4/0)
May 19 10:03:27 linux1 charon: 16[IKE] giving up after 5 retransmits
May 19 10:03:27 linux1 charon: 16[IKE] peer not responding, trying again 
(5/0)
May 19 10:06:12 linux1 charon: 05[IKE] giving up after 5 retransmits
May 19 10:06:12 linux1 charon: 05[IKE] peer not responding, trying again 
(6/0)
May 19 10:06:12 linux1 charon: 05[IKE] giving up after 5 retries
May 19 10:06:12 linux1 charon: 05[IKE] IKE_SA 1[3] state change: 
CONNECTING => DESTROYING

The concept of retries is different as retransmissions. Based on the 
logs there is 5 retransmission is each retry.

The question that I have is there a parameter to increase the number of 
retries, Also in ipsec.conf  I set  keyingtries=%forever

Regards

Eduardo

conn %default
          auth=esp
          dpdaction=restart
          dpddelay=10s
          forceencaps=no
          ikelifetime=60s
          installpolicy=yes
          keyexchange=ikev2
          keyingtries=%forever
          keylife=50s
          mobike=no
          pfs=yes
          reauth=no
          rekey=no
          rekeymargin=20s
          rekeyfuzz=10%
          type=tunnel
          leftauth=psk
          rightauth=psk

conn 1
          right=135.112.41.43
          left=135.185.91.86
          leftsubnet=192.168.1.1/32
          rightsubnet=0.0.0.0/0
          esp=aes256-sha1-modp1024,aes256-md5-modp1024,aes256-aesxcbc-modp1024,3des-sha1-modp1024,3des-md5-modp1024,3des-aesxcbc-modp1024!
          ike=aes128-sha-modp1024,3des-sha-modp1024!
          leftprotoport=132
          auto=start





On 5/19/2010 10:24 AM, Martin Willi wrote:
> Hi,
>
>    
>> Is there any parameter in StrongSwan to increase the number of retries
>> or this value is hardcoded.
>>      
> Starting with 4.4.0, charon supports global configuration options in
> strongswan.conf to control the retransmission behavior [1]. DPD checks
> use the same timeout, as any message exchange in IKEv2 acts as a DPD
> check.
>
> Regards
> Martin
>
> [1]http://wiki.strongswan.org/projects/strongswan/wiki/Retransmission
>
>

More information about the Users mailing list