[strongSwan] DPD

Eduardo Torres Eduardo.Torres at alcatel-lucent.com
Wed May 26 18:42:31 CEST 2010


Hi Martin,

Any idea why StrongSwan only re-tries 5 times before destroying the IKE_SA.
Is that value hard-coded or is any parameter I can change?

Thanks and Regards
Eduardo

On 5/19/2010 11:18 AM, Eduardo Torres wrote:
> Hi Martin,
>
> The behavior I saw is that  5 retransmission in each retry. After 5 
> retries IKE_SA changes from connecting to destroying
>
> .......
> May 19 10:00:42 linux1 charon: 15[IKE] giving up after 5 retransmits
> May 19 10:00:42 linux1 charon: 15[IKE] peer not responding, trying 
> again (4/0)
> May 19 10:03:27 linux1 charon: 16[IKE] giving up after 5 retransmits
> May 19 10:03:27 linux1 charon: 16[IKE] peer not responding, trying 
> again (5/0)
> May 19 10:06:12 linux1 charon: 05[IKE] giving up after 5 retransmits
> May 19 10:06:12 linux1 charon: 05[IKE] peer not responding, trying 
> again (6/0)
> May 19 10:06:12 linux1 charon: 05[IKE] giving up after 5 retries
> May 19 10:06:12 linux1 charon: 05[IKE] IKE_SA 1[3] state change: 
> CONNECTING => DESTROYING
>
> The concept of retries is different as retransmissions. Based on the 
> logs there is 5 retransmission is each retry.
>
> The question that I have is there a parameter to increase the number 
> of retries, Also in ipsec.conf  I set  keyingtries=%forever
>
> Regards
>
> Eduardo
>
> conn %default
>          auth=esp
>          dpdaction=restart
>          dpddelay=10s
>          forceencaps=no
>          ikelifetime=60s
>          installpolicy=yes
>          keyexchange=ikev2
>          keyingtries=%forever
>          keylife=50s
>          mobike=no
>          pfs=yes
>          reauth=no
>          rekey=no
>          rekeymargin=20s
>          rekeyfuzz=10%
>          type=tunnel
>          leftauth=psk
>          rightauth=psk
>
> conn 1
>          right=135.112.41.43
>          left=135.185.91.86
>          leftsubnet=192.168.1.1/32
>          rightsubnet=0.0.0.0/0
>          
> esp=aes256-sha1-modp1024,aes256-md5-modp1024,aes256-aesxcbc-modp1024,3des-sha1-modp1024,3des-md5-modp1024,3des-aesxcbc-modp1024! 
>
>          ike=aes128-sha-modp1024,3des-sha-modp1024!
>          leftprotoport=132
>          auto=start
>
>
>
>
>
> On 5/19/2010 10:24 AM, Martin Willi wrote:
>> Hi,
>>
>>> Is there any parameter in StrongSwan to increase the number of retries
>>> or this value is hardcoded.
>> Starting with 4.4.0, charon supports global configuration options in
>> strongswan.conf to control the retransmission behavior [1]. DPD checks
>> use the same timeout, as any message exchange in IKEv2 acts as a DPD
>> check.
>>
>> Regards
>> Martin
>>
>> [1]http://wiki.strongswan.org/projects/strongswan/wiki/Retransmission
>>
>





More information about the Users mailing list