[strongSwan] Not working DPD on strongSwan 4.5.2

Dragomir Ivanov drago.ivanov at gmail.com
Thu Dec 20 00:01:58 CET 2012 

Hello,
I have the following configuration for L2TP connection used by Android
phone:

config setup
        plutostart=yes
        plutodebug="control controlmore"
        charonstart=yes
        nocrsend=yes
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=%forever
        authby=secret
        mobike=no


conn L2TP
        authby=secret
        auto=add
        rekey=no
        pfs=no
        type=transport
        forceencaps=yes
        compress=yes
        left=212.25.51.133
        leftnexthop=212.25.51.1
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
        rightsubnet=vhost:%no,%priv
        keyexchange=ikev1
        dpdaction=clear
        dpdtimeout=60
        dpddelay=10

Phone connects OK. But when phone is disconnected, SA stays indefinitely.
With my configuration it should remove SA association in 60seconds or so,
but it stays like this:

000 "L2TP":
212.25.51.133[212.25.51.133]:17/1701---212.25.51.1...%virtual[%any]:17/%any===?;
unrouted; eroute owner: #0
000 "L2TP":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s;
rekey_fuzz: 100%; keyingtries: 0
000 "L2TP":   dpd_action: clear; dpd_delay: 10s; dpd_timeout: 60s;
000 "L2TP":   policy: PSK+ENCRYPT+COMPRESS+DONTREKEY; prio: 32,32;
interface: eth1;
000 "L2TP":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "L2TP"[2]: 212.25.51.133:4500
[212.25.51.133]:17/1701---212.25.51.1...213.226.63.142:33677[10.181.105.171]:17/0;
unrouted; eroute owner: #0
000 "L2TP"[2]:   ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s;
rekey_fuzz: 100%; keyingtries: 0
000 "L2TP"[2]:   dpd_action: clear; dpd_delay: 10s; dpd_timeout: 60s;
000 "L2TP"[2]:   policy: PSK+ENCRYPT+COMPRESS+DONTREKEY; prio: 32,32;
interface: eth1;
000 "L2TP"[2]:   newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "L2TP"[2]:   IKE proposal: 3DES_CBC/HMAC_SHA1/MODP_1024
000
000 #341: "L2TP"[2] 213.226.63.142:33677 STATE_QUICK_I1 (sent QI1,
expecting QR1); EVENT_RETRANSMIT in 39s
000 #1: "L2TP"[2] 213.226.63.142:33677 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_EXPIRE in 3972s; newest ISAKMP

When I look on tcpdump on udp ports 500/4500, I see no packets(DPD) from
IPSec gateway, to remote device (Android).
Is this a bug, or I have misconfigured something? Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121220/d653b52f/attachment.html>

More information about the Users mailing list