[strongSwan] DPD
Eduardo Torres
Eduardo.Torres at alcatel-lucent.com
Wed May 26 18:42:31 CEST 2010
Hi Martin,
Any idea why StrongSwan only re-tries 5 times before destroying the IKE_SA.
Is that value hard-coded or is any parameter I can change?
Thanks and Regards
Eduardo
On 5/19/2010 11:18 AM, Eduardo Torres wrote:
> Hi Martin,
>
> The behavior I saw is that 5 retransmission in each retry. After 5
> retries IKE_SA changes from connecting to destroying
>
> .......
> May 19 10:00:42 linux1 charon: 15[IKE] giving up after 5 retransmits
> May 19 10:00:42 linux1 charon: 15[IKE] peer not responding, trying
> again (4/0)
> May 19 10:03:27 linux1 charon: 16[IKE] giving up after 5 retransmits
> May 19 10:03:27 linux1 charon: 16[IKE] peer not responding, trying
> again (5/0)
> May 19 10:06:12 linux1 charon: 05[IKE] giving up after 5 retransmits
> May 19 10:06:12 linux1 charon: 05[IKE] peer not responding, trying
> again (6/0)
> May 19 10:06:12 linux1 charon: 05[IKE] giving up after 5 retries
> May 19 10:06:12 linux1 charon: 05[IKE] IKE_SA 1[3] state change:
> CONNECTING => DESTROYING
>
> The concept of retries is different as retransmissions. Based on the
> logs there is 5 retransmission is each retry.
>
> The question that I have is there a parameter to increase the number
> of retries, Also in ipsec.conf I set keyingtries=%forever
>
> Regards
>
> Eduardo
>
> conn %default
> auth=esp
> dpdaction=restart
> dpddelay=10s
> forceencaps=no
> ikelifetime=60s
> installpolicy=yes
> keyexchange=ikev2
> keyingtries=%forever
> keylife=50s
> mobike=no
> pfs=yes
> reauth=no
> rekey=no
> rekeymargin=20s
> rekeyfuzz=10%
> type=tunnel
> leftauth=psk
> rightauth=psk
>
> conn 1
> right=135.112.41.43
> left=135.185.91.86
> leftsubnet=192.168.1.1/32
> rightsubnet=0.0.0.0/0
>
> esp=aes256-sha1-modp1024,aes256-md5-modp1024,aes256-aesxcbc-modp1024,3des-sha1-modp1024,3des-md5-modp1024,3des-aesxcbc-modp1024!
>
> ike=aes128-sha-modp1024,3des-sha-modp1024!
> leftprotoport=132
> auto=start
>
>
>
>
>
> On 5/19/2010 10:24 AM, Martin Willi wrote:
>> Hi,
>>
>>> Is there any parameter in StrongSwan to increase the number of retries
>>> or this value is hardcoded.
>> Starting with 4.4.0, charon supports global configuration options in
>> strongswan.conf to control the retransmission behavior [1]. DPD checks
>> use the same timeout, as any message exchange in IKEv2 acts as a DPD
>> check.
>>
>> Regards
>> Martin
>>
>> [1]http://wiki.strongswan.org/projects/strongswan/wiki/Retransmission
>>
>
More information about the Users
mailing list