[strongSwan] Not working DPD on strongSwan 4.5.2

Andreas Steffen andreas.steffen at strongswan.org
Thu Dec 20 06:04:49 CET 2012


Hi Dragomir,

with your configuration DPD should work but your ipsec status
shows with

  STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 39s

that the IPsec connection has not been fully established and therefore
no DPD payloads are sent.

Regards

Andreas

On 20.12.2012 00:01, Dragomir Ivanov wrote:
> Hello,
> I have the following configuration for L2TP connection used by Android
> phone:
>
> config setup
>          plutostart=yes
>          plutodebug="control controlmore"
>          charonstart=yes
>          nocrsend=yes
>          nat_traversal=yes
>
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
> <http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12>
>
> conn %default
>          ikelifetime=60m
>          keylife=20m
>          rekeymargin=3m
>          keyingtries=%forever
>          authby=secret
>          mobike=no
>
>
> conn L2TP
>          authby=secret
>          auto=add
>          rekey=no
>          pfs=no
>          type=transport
>          forceencaps=yes
>          compress=yes
>          left=212.25.51.133
>          leftnexthop=212.25.51.1
>          leftprotoport=17/1701
>          right=%any
>          rightprotoport=17/%any
>          rightsubnet=vhost:%no,%priv
>          keyexchange=ikev1
>          dpdaction=clear
>          dpdtimeout=60
>          dpddelay=10
>
> Phone connects OK. But when phone is disconnected, SA stays
> indefinitely. With my configuration it should remove SA association in
> 60seconds or so, but it stays like this:
>
> 000 "L2TP":
> 212.25.51.133[212.25.51.133]:17/1701---212.25.51.1...%virtual[%any]:17/%any===?;
> unrouted; eroute owner: #0
> 000 "L2TP":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s;
> rekey_fuzz: 100%; keyingtries: 0
> 000 "L2TP":   dpd_action: clear; dpd_delay: 10s; dpd_timeout: 60s;
> 000 "L2TP":   policy: PSK+ENCRYPT+COMPRESS+DONTREKEY; prio: 32,32;
> interface: eth1;
> 000 "L2TP":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000 "L2TP"[2]:
> 212.25.51.133:4500[212.25.51.133]:17/1701---212.25.51.1...213.226.63.142:33677[10.181.105.171]:17/0;
> unrouted; eroute owner: #0
> 000 "L2TP"[2]:   ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s;
> rekey_fuzz: 100%; keyingtries: 0
> 000 "L2TP"[2]:   dpd_action: clear; dpd_delay: 10s; dpd_timeout: 60s;
> 000 "L2TP"[2]:   policy: PSK+ENCRYPT+COMPRESS+DONTREKEY; prio: 32,32;
> interface: eth1;
> 000 "L2TP"[2]:   newest ISAKMP SA: #1; newest IPsec SA: #0;
> 000 "L2TP"[2]:   IKE proposal: 3DES_CBC/HMAC_SHA1/MODP_1024
> 000
> 000 #341: "L2TP"[2] 213.226.63.142:33677 <http://213.226.63.142:33677>
> STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 39s
> 000 #1: "L2TP"[2] 213.226.63.142:33677 <http://213.226.63.142:33677>
> STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in
> 3972s; newest ISAKMP
>
> When I look on tcpdump on udp ports 500/4500, I see no packets(DPD) from
> IPSec gateway, to remote device (Android).
> Is this a bug, or I have misconfigured something? Thank you.

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121220/b47ebc89/attachment.bin>


More information about the Users mailing list