[strongSwan] issue when configuring dpdaction=restart in ipsec.conf

bhargav p bhargav.1226 at gmail.com
Mon Feb 11 13:50:06 CET 2013 

Hi,

I configured dpdaction=restart and dpddelay = 30 and auto=route. Please see
the below ipsec.conf file


config setup
        charonstart=yes
        plutostart=no
        uniqueids=no
        charondebug="knl 0,enc 0,net 0"
conn %default
        auto=route
        keyexchange=ikev2
        reauth=no
conn rule20-1~vpn20
        rekeymargin=180
        rekeyfuzz=100%
        left=10.0.0.1
        right=10.0.0.2
        leftsubnet=10.0.0.1/32
        rightsubnet=10.0.0.2/32
        authby=secret
        leftid=10.0.0.1
        rightid=%any
        ike=aes128-md5-modp1536!
        esp=aes128-md5!
        type=tunnel
        ikelifetime=3600s
        keylife=1800s
        dpdaction=restart
        dpddelay=30
        mobike=no
        auto=route
        reauth=no
        encapdscp=yes


conn rule21-1~vpn21
        rekeymargin=180
        rekeyfuzz=100%
        left=20.0.0.1
        right=20.0.0.2
        leftsubnet=20.0.0.1/32
        rightsubnet=20.0.0.2/32
        authby=secret
        leftid=20.0.0.1
        rightid=%any
        ike=aes128-md5-modp1536!
        esp=aes128-md5!
        type=tunnel
        ikelifetime=3600s
        keylife=1800s
        dpdaction=restart
        dpddelay=30
        mobike=no
        auto=route
        reauth=no
        encapdscp=yes

There are two conn sections and  I have started the traffic for the conn
rule20-1~vpn20, CHILD_SA's are getting established .And logs are..


Feb 12 00:21:19.816015 info charon: 15[IKE] IKE_SA rule20-1~vpn20[1]
established between 10.0.0.2[(vr*)10.0.0.2]...10.0.0.1[(vr*)10.0.0.1]
Feb 12 00:21:19.816451 info  charon: 15[IKE] scheduling rekeying in 3411s
Feb 12 00:21:19.816677 info  charon: 15[IKE] maximum IKE_SA lifetime 3591s
Feb 12 00:21:19.817671 info charon: 15[IKE] CHILD_SA rule20-1~vpn20{4}
established with SPIs c1dd2c2f_i c56e7496_o and TS 10.0.0.2/32 ===
10.0.0.1/32
Feb 12 00:21:19.851876 info  charon: 07[IKE] authentication of
'(vr*)10.0.0.2' with pre-shared key successful
Feb 12 00:21:19.852125 info charon: 07[IKE] IKE_SA rule20-1~vpn20[1]
established between 10.0.0.1[(vr*)10.0.0.1]...10.0.0.2[(vr*)10.0.0.2]
Feb 12 00:21:19.852501 info  charon: 07[IKE] scheduling rekeying in 3366s
Feb 12 00:21:19.852702 info charon: 07[IKE] maximum IKE_SA lifetime 3546s
Feb 12 00:21:19.853516 info  charon: 07[IKE] CHILD_SA rule20-1~vpn20{1}
established with SPIs c56e7496_i c1dd2c2f_o and TS 10.0.0.1/32 ===
10.0.0.2/32

Now I stopped the traffic and  deleting the conn section [rule20-1~vpn20]
in /etc/ipsec.conf file and sending SIGHUP to the starter pid...and I am
seeeing the below logs..

Feb 12 00:23:27.820262 info  IPSec: Starter: sending SIGHUP to Starter pid
26310
Feb 12 00:23:27.821899 info charon: 11[CFG] received stroke: terminate
'rule20-1~vpn20{*}'
Feb 12 00:23:27.822286 info  charon: 08[IKE] closing CHILD_SA
rule20-1~vpn20{1} with SPIs c56e7496_i (1064 bytes) c1dd2c2f_o (588 bytes)
and TS 10.0.0.1/32 === 10.0.0.2/32
Feb 12 00:23:27.822476 info charon: 08[IKE] sending DELETE for ESP CHILD_SA
with SPI c56e7496
Feb 12 00:23:27.790566 info  charon: 09[IKE] received DELETE for ESP
CHILD_SA with SPI c56e7496
Feb 12 00:23:27.790882 info  charon: 09[IKE] closing CHILD_SA
rule20-1~vpn20{4} with SPIs c1dd2c2f_i (1064 bytes) c56e7496_o (588 bytes)
and TS 10.0.0.2/32 === 10.0.0.1/32
Feb 12 00:23:27.791094 info  charon: 09[IKE] sending DELETE for ESP
CHILD_SA with SPI c1dd2c2f
Feb 12 00:23:27.791094 info  charon: 09[IKE] CHILD_SA closed
Feb 12 00:23:27.791601 info  charon: 09[IKE] establishing CHILD_SA
rule20-1~vpn20

Feb 12 00:23:27.826876 info  charon: 10[IKE] CHILD_SA rule20-1~vpn20{4}
established with SPIs c64da587_i c53dfa9a_o and TS 10.0.0.1/32 ===
10.0.0.2/32
Feb 12 00:23:27.827289 info charon: 16[CFG] received stroke: unroute
'rule20-1~vpn20'
Feb 12 00:23:27.828274 info charon: 12[IKE] received DELETE for ESP
CHILD_SA with SPI c1dd2c2f
Feb 12 00:23:27.828462 info  charon: 12[IKE] CHILD_SA closed
Feb 12 00:23:27.829138 info charon: 07[CFG] received stroke: delete
connection 'rule20-1~vpn20'
Feb 12 00:23:27.829239 info charon: 07[CFG] deleted connection
'rule20-1~vpn20'
Feb 12 00:23:27.797011 info  charon: 11[IKE] CHILD_SA rule20-1~vpn20{5}
established with SPIs c53dfa9a_i c64da587_o and TS 10.0.0.2/32 ===
10.0.0.1/32
Feb 12 00:22:58.645625 info

Because of new child_sa getting established , still setkey -DP still shows
the related policies. why this is happening?

if i remove dpdaction=restart then the after executing the above test i can
see policies being removed from kernel.

My doubt is why policies are not being deleted when i configure
dpdaction=restart???

Can someone please help me in understanding this dpdaction=restart
behaviour.


---Bhargav
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130211/e1cadbb8/attachment.html>

More information about the Users mailing list