[strongSwan] Not working DPD on strongSwan 4.5.2
Andreas Steffen
andreas.steffen at strongswan.org
Thu Dec 20 06:04:49 CET 2012
Hi Dragomir,
with your configuration DPD should work but your ipsec status
shows with
STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 39s
that the IPsec connection has not been fully established and therefore
no DPD payloads are sent.
Regards
Andreas
On 20.12.2012 00:01, Dragomir Ivanov wrote:
> Hello,
> I have the following configuration for L2TP connection used by Android
> phone:
>
> config setup
> plutostart=yes
> plutodebug="control controlmore"
> charonstart=yes
> nocrsend=yes
> nat_traversal=yes
>
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
> <http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12>
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=%forever
> authby=secret
> mobike=no
>
>
> conn L2TP
> authby=secret
> auto=add
> rekey=no
> pfs=no
> type=transport
> forceencaps=yes
> compress=yes
> left=212.25.51.133
> leftnexthop=212.25.51.1
> leftprotoport=17/1701
> right=%any
> rightprotoport=17/%any
> rightsubnet=vhost:%no,%priv
> keyexchange=ikev1
> dpdaction=clear
> dpdtimeout=60
> dpddelay=10
>
> Phone connects OK. But when phone is disconnected, SA stays
> indefinitely. With my configuration it should remove SA association in
> 60seconds or so, but it stays like this:
>
> 000 "L2TP":
> 212.25.51.133[212.25.51.133]:17/1701---212.25.51.1...%virtual[%any]:17/%any===?;
> unrouted; eroute owner: #0
> 000 "L2TP": ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s;
> rekey_fuzz: 100%; keyingtries: 0
> 000 "L2TP": dpd_action: clear; dpd_delay: 10s; dpd_timeout: 60s;
> 000 "L2TP": policy: PSK+ENCRYPT+COMPRESS+DONTREKEY; prio: 32,32;
> interface: eth1;
> 000 "L2TP": newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000 "L2TP"[2]:
> 212.25.51.133:4500[212.25.51.133]:17/1701---212.25.51.1...213.226.63.142:33677[10.181.105.171]:17/0;
> unrouted; eroute owner: #0
> 000 "L2TP"[2]: ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s;
> rekey_fuzz: 100%; keyingtries: 0
> 000 "L2TP"[2]: dpd_action: clear; dpd_delay: 10s; dpd_timeout: 60s;
> 000 "L2TP"[2]: policy: PSK+ENCRYPT+COMPRESS+DONTREKEY; prio: 32,32;
> interface: eth1;
> 000 "L2TP"[2]: newest ISAKMP SA: #1; newest IPsec SA: #0;
> 000 "L2TP"[2]: IKE proposal: 3DES_CBC/HMAC_SHA1/MODP_1024
> 000
> 000 #341: "L2TP"[2] 213.226.63.142:33677 <http://213.226.63.142:33677>
> STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 39s
> 000 #1: "L2TP"[2] 213.226.63.142:33677 <http://213.226.63.142:33677>
> STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in
> 3972s; newest ISAKMP
>
> When I look on tcpdump on udp ports 500/4500, I see no packets(DPD) from
> IPSec gateway, to remote device (Android).
> Is this a bug, or I have misconfigured something? Thank you.
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121220/b47ebc89/attachment.bin>
More information about the Users
mailing list