[strongSwan] Not working DPD on strongSwan 4.5.2

Dragomir Ivanov drago.ivanov at gmail.com
Wed Jan 2 13:36:53 CET 2013


Actually the output above happens ~30-60 minutes after phone disconnection.

1. Right after I start ipsec daemon, with no clients connected I have:

000
000 "L2TP":
212.25.51.133[212.25.51.133]:17/1701---212.25.51.1...%virtual[%any]:17/%any===?;
unrouted; eroute owner: #0
000 "L2TP":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s;
rekey_fuzz: 100%; keyingtries: 0
000 "L2TP":   dpd_action: clear; dpd_delay: 10s; dpd_timeout: 60s;
000 "L2TP":   policy: PSK+ENCRYPT+COMPRESS+DONTREKEY; prio: 32,32;
interface: eth1;
000 "L2TP":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000

2. When client is connected ( I can ssh the VPN gateway though the tunnel):

000
000 "L2TP":
212.25.51.133[212.25.51.133]:17/1701---212.25.51.1...%virtual[%any]:17/%any===?;
unrouted; eroute owner: #0
000 "L2TP":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s;
rekey_fuzz: 100%; keyingtries: 0
000 "L2TP":   dpd_action: clear; dpd_delay: 10s; dpd_timeout: 60s;
000 "L2TP":   policy: PSK+ENCRYPT+COMPRESS+DONTREKEY; prio: 32,32;
interface: eth1;
000 "L2TP":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "L2TP"[2]: 212.25.51.133
:4500[212.25.51.133]:17/1701---212.25.51.1...213.226.63.139:2212[10.176.85.22]:17/0;
erouted; eroute owner: #2
000 "L2TP"[2]:   ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s;
rekey_fuzz: 100%; keyingtries: 0
000 "L2TP"[2]:   dpd_action: clear; dpd_delay: 10s; dpd_timeout: 60s;
000 "L2TP"[2]:   policy: PSK+ENCRYPT+COMPRESS+DONTREKEY; prio: 32,32;
interface: eth1;
000 "L2TP"[2]:   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "L2TP"[2]:   IKE proposal: 3DES_CBC/HMAC_SHA1/MODP_1024
000 "L2TP"[2]:   ESP proposal: 3DES_CBC/HMAC_SHA1/<N/A>
000
000 #2: "L2TP"[2] 213.226.63.139:2212 STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_REPLACE in 1104s; newest IPSEC; eroute owner
000 #2: "L2TP"[2] 213.226.63.139:2212 esp.7863510 at 213.226.63.139 (606
bytes, 2s ago) esp.c639026f at 212.25.51.133(595 bytes, 2s ago); transport
000 #1: "L2TP"[2] 213.226.63.139:2212 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_EXPIRE in 28793s; newest ISAKMP
000

3. After I disconnect the client, and waiting 9 minutes (just in case), I
have:

000
000 "L2TP":
212.25.51.133[212.25.51.133]:17/1701---212.25.51.1...%virtual[%any]:17/%any===?;
unrouted; eroute owner: #0
000 "L2TP":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s;
rekey_fuzz: 100%; keyingtries: 0
000 "L2TP":   dpd_action: clear; dpd_delay: 10s; dpd_timeout: 60s;
000 "L2TP":   policy: PSK+ENCRYPT+COMPRESS+DONTREKEY; prio: 32,32;
interface: eth1;
000 "L2TP":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "L2TP"[2]: 212.25.51.133
:4500[212.25.51.133]:17/1701---212.25.51.1...213.226.63.139:2212[10.176.85.22]:17/0;
erouted; eroute owner: #2
000 "L2TP"[2]:   ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s;
rekey_fuzz: 100%; keyingtries: 0
000 "L2TP"[2]:   dpd_action: clear; dpd_delay: 10s; dpd_timeout: 60s;
000 "L2TP"[2]:   policy: PSK+ENCRYPT+COMPRESS+DONTREKEY; prio: 32,32;
interface: eth1;
000 "L2TP"[2]:   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "L2TP"[2]:   IKE proposal: 3DES_CBC/HMAC_SHA1/MODP_1024
000 "L2TP"[2]:   ESP proposal: 3DES_CBC/HMAC_SHA1/<N/A>
000
000 #2: "L2TP"[2] 213.226.63.139:2212 STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_REPLACE in 489s; newest IPSEC; eroute owner
000 #2: "L2TP"[2] 213.226.63.139:2212 esp.7863510 at 213.226.63.139 (1106
bytes, 555s ago)esp.c639026f at 212.25.51.133 (1079 bytes, 559s ago); transport
000 #1: "L2TP"[2] 213.226.63.139:2212 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_EXPIRE in 28178s; newest ISAKMP
000

4. Without touching the phone or strongSwan I have now the following:

000
000 "L2TP":
212.25.51.133[212.25.51.133]:17/1701---212.25.51.1...%virtual[%any]:17/%any===?;
unrouted; eroute owner: #0
000 "L2TP":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s;
rekey_fuzz: 100%; keyingtries: 0
000 "L2TP":   dpd_action: clear; dpd_delay: 10s; dpd_timeout: 60s;
000 "L2TP":   policy: PSK+ENCRYPT+COMPRESS+DONTREKEY; prio: 32,32;
interface: eth1;
000 "L2TP":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "L2TP"[2]: 212.25.51.133
:4500[212.25.51.133]:17/1701---212.25.51.1...213.226.63.139:2212[10.176.85.22]:17/0;
unrouted; eroute owner: #0
000 "L2TP"[2]:   ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s;
rekey_fuzz: 100%; keyingtries: 0
000 "L2TP"[2]:   dpd_action: clear; dpd_delay: 10s; dpd_timeout: 60s;
000 "L2TP"[2]:   policy: PSK+ENCRYPT+COMPRESS+DONTREKEY; prio: 32,32;
interface: eth1;
000 "L2TP"[2]:   newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "L2TP"[2]:   IKE proposal: 3DES_CBC/HMAC_SHA1/MODP_1024
000
000 #45: "L2TP"[2] 213.226.63.139:2212 STATE_QUICK_I1 (sent QI1, expecting
QR1); EVENT_RETRANSMIT in 6s
000 #1: "L2TP"[2] 213.226.63.139:2212 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_EXPIRE in 24742s; newest ISAKMP
000

It is worth mentioning, that when the tunnel is in state from paragraph 3
above, If I attempt to connect again with the same phone/same
connection credentials the connection starts as usual, but then L2TP
traffic didn't start over port 4500 as usual, but continue on 1701, and is
not encrypted.

There were no packet flow during this 9 minutes viewed with this command:
tcpdump -l -v -n -i eth1 port 500 or port 4500 or port 1701 or esp

I have a working tunnel with StrongSwan version strongSwan 4.3.2, and in
auth.log file I have the following references to DPD:
pluto[1346]: "q81" #12761: Dead Peer Detection (RFC 3706) enabled
pluto[1346]: out_vendorid(): sending [Dead Peer Detection]
pluto[1346]: "q81" #12763: received Vendor ID payload [Dead Peer Detection]

On the 4.5.2 the only reference in auth.log is:
pluto[7293]: "q81" #1: received Vendor ID payload [Dead Peer Detection]

I checked there is no compile time option for disabling DPD. Ubuntu 12.04
didn't provided any patches to disable DPD.
Am I missing something.


On Thu, Dec 20, 2012 at 7:04 AM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hi Dragomir,
>
> with your configuration DPD should work but your ipsec status
> shows with
>
>
>  STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 39s
>
> that the IPsec connection has not been fully established and therefore
> no DPD payloads are sent.
>
> Regards
>
> Andreas
>
>
> On 20.12.2012 00:01, Dragomir Ivanov wrote:
>
>> Hello,
>> I have the following configuration for L2TP connection used by Android
>> phone:
>>
>> config setup
>>          plutostart=yes
>>          plutodebug="control controlmore"
>>          charonstart=yes
>>          nocrsend=yes
>>          nat_traversal=yes
>>
>> virtual_private=%v4:10.0.0.0/**8,%v4:192.168.0.0/16,%v4:172.**16.0.0/12
>> <http://10.0.0.0/8,%v4:192.**168.0.0/16,%v4:172.16.0.0/12>
>>
>>
>> conn %default
>>          ikelifetime=60m
>>          keylife=20m
>>          rekeymargin=3m
>>          keyingtries=%forever
>>          authby=secret
>>          mobike=no
>>
>>
>> conn L2TP
>>          authby=secret
>>          auto=add
>>          rekey=no
>>          pfs=no
>>          type=transport
>>          forceencaps=yes
>>          compress=yes
>>          left=212.25.51.133
>>          leftnexthop=212.25.51.1
>>          leftprotoport=17/1701
>>          right=%any
>>          rightprotoport=17/%any
>>          rightsubnet=vhost:%no,%priv
>>          keyexchange=ikev1
>>          dpdaction=clear
>>          dpdtimeout=60
>>          dpddelay=10
>>
>> Phone connects OK. But when phone is disconnected, SA stays
>> indefinitely. With my configuration it should remove SA association in
>> 60seconds or so, but it stays like this:
>>
>> 000 "L2TP":
>> 212.25.51.133[212.25.51.133]:**17/1701---212.25.51.1...%**
>> virtual[%any]:17/%any===?;
>> unrouted; eroute owner: #0
>> 000 "L2TP":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s;
>> rekey_fuzz: 100%; keyingtries: 0
>> 000 "L2TP":   dpd_action: clear; dpd_delay: 10s; dpd_timeout: 60s;
>> 000 "L2TP":   policy: PSK+ENCRYPT+COMPRESS+**DONTREKEY; prio: 32,32;
>> interface: eth1;
>> 000 "L2TP":   newest ISAKMP SA: #0; newest IPsec SA: #0;
>> 000 "L2TP"[2]:
>> 212.25.51.133:4500[212.25.51.133]:17/1701---212.25.51.1..**
>> .213.226.63.142:33677[10.181.**105.171]:17/0;
>> unrouted; eroute owner: #0
>> 000 "L2TP"[2]:   ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s;
>> rekey_fuzz: 100%; keyingtries: 0
>> 000 "L2TP"[2]:   dpd_action: clear; dpd_delay: 10s; dpd_timeout: 60s;
>> 000 "L2TP"[2]:   policy: PSK+ENCRYPT+COMPRESS+**DONTREKEY; prio: 32,32;
>> interface: eth1;
>> 000 "L2TP"[2]:   newest ISAKMP SA: #1; newest IPsec SA: #0;
>> 000 "L2TP"[2]:   IKE proposal: 3DES_CBC/HMAC_SHA1/MODP_1024
>> 000
>> 000 #341: "L2TP"[2] 213.226.63.142:33677 <http://213.226.63.142:33677>
>>
>> STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 39s
>> 000 #1: "L2TP"[2] 213.226.63.142:33677 <http://213.226.63.142:33677>
>>
>> STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in
>> 3972s; newest ISAKMP
>>
>> When I look on tcpdump on udp ports 500/4500, I see no packets(DPD) from
>> IPSec gateway, to remote device (Android).
>> Is this a bug, or I have misconfigured something? Thank you.
>>
>
> ==============================**==============================**==========
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ==============================**=============================[**ITA-HSR]==
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130102/e59dc829/attachment.html>


More information about the Users mailing list