[strongSwan] dead peer detection problem
Justin Cinkelj
justin.cinkelj at xlab.si
Wed Mar 27 15:00:45 CET 2013
Hi
I'm trying to setup dead peer detection with strongswan.
After starting both peers, tunnel works, and I can ping across the tunnel.
To simulate crashed server, I do:
'kill -9' all server processes (Wed Mar 27 13:45:06),
and restart ipsec after about one minute (Mar 27 13:46:16).
Immediately after server ipsec restart, client could ping across vpn
tunnel.
But after some time (approx at 13:48:00), ping stopped.
Than it takes long time to start working again (like 5 minutes), or it
does not get back at all (in attached log below, it didn't get up).
I guess my config is broken, but which part of it?
As I haven't found better guide to DPD that man ipsec.conf, a link to
doc could be helpful too.
Client ubuntu 12.04 + Linux strongSwan U4.5.2/K3.2.0-39-generic.
Server Centos 6.4 + Linux strongSwan U4.6.4/K2.6.32-358.2.1.el6.x86_64.
Justin
Server /etc/strongswan/ipsec.conf:
config setup
nat_traversal=yes
charonstart=yes
plutostart=no
conn rtu-1
authby=secret
left=%defaultroute
leftid=sunn
leftsubnet=192.168.11.0/24,192.168.5.2/32
right=bb.bb.bb.242
rightid=moonn
rightsubnet=192.168.87.0/24
keyexchange=ikev2
ike=aes128-sha1-modp1024!
esp=aes128-sha1!
auto=add
dpdaction=restart
dpddelay=10
dpdtimeout=30
Client /etc/ipsec.conf:
config setup
nat_traversal=yes
charonstart=yes
plutostart=no
plutodebug = "control controlmore natt oppo"
conn x244
authby=secret
left=%defaultroute
leftid=moonn
leftsubnet=192.168.87.0/24
right=aa.aa.aa.244
rightid=sunn
rightsubnet=192.168.11.0/24,192.168.5.2/32
keyexchange=ikev2
auto=add
ike=aes128-sha1-modp1024!
esp=aes128-sha1!
dpdaction=restart
dpddelay=10
dpdtimeout=30
Part of server log:
Mar 27 13:46:16 cgvf-ipsec charon: 00[JOB] spawning 16 worker threads
Mar 27 13:46:16 cgvf-ipsec charon: 10[CFG] received stroke: add
connection 'rtu-1'
Mar 27 13:46:16 cgvf-ipsec charon: 10[CFG] added configuration 'rtu-1'
# client can ping again
#
# ping will stop
Mar 27 13:47:49 cgvf-ipsec charon: 13[NET] received packet: from
bb.bb.bb.242[500] to 192.168.11.5[500]
Mar 27 13:47:49 cgvf-ipsec charon: 13[ENC] parsed IKE_SA_INIT request 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Mar 27 13:47:49 cgvf-ipsec charon: 13[IKE] bb.bb.bb.242 is initiating an
IKE_SA
Mar 27 13:47:49 cgvf-ipsec charon: 13[IKE] local host is behind NAT,
sending keep alives
Mar 27 13:47:49 cgvf-ipsec charon: 13[IKE] remote host is behind NAT
Mar 27 13:47:49 cgvf-ipsec charon: 13[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Mar 27 13:47:49 cgvf-ipsec charon: 13[NET] sending packet: from
192.168.11.5[500] to bb.bb.bb.242[500]
Mar 27 13:47:49 cgvf-ipsec charon: 14[NET] received packet: from
bb.bb.bb.242[4500] to 192.168.11.5[4500]
Mar 27 13:47:49 cgvf-ipsec charon: 14[ENC] parsed IKE_AUTH request 1 [
IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR)
N(MULT_AUTH) N(EAP_ONLY) ]
Mar 27 13:47:49 cgvf-ipsec charon: 14[CFG] looking for peer configs
matching 192.168.11.5[sunn]...bb.bb.bb.242[moonn]
Mar 27 13:47:49 cgvf-ipsec charon: 14[CFG] selected peer config 'rtu-1'
Mar 27 13:47:49 cgvf-ipsec charon: 14[IKE] authentication of 'moonn'
with pre-shared key successful
Mar 27 13:47:49 cgvf-ipsec charon: 14[IKE] peer supports MOBIKE
Mar 27 13:47:49 cgvf-ipsec charon: 14[IKE] authentication of 'sunn'
(myself) with pre-shared key
Mar 27 13:47:49 cgvf-ipsec charon: 14[IKE] IKE_SA rtu-1[1] established
between 192.168.11.5[sunn]...bb.bb.bb.242[moonn]
Mar 27 13:47:49 cgvf-ipsec charon: 14[IKE] scheduling reauthentication
in 10187s
Mar 27 13:47:49 cgvf-ipsec charon: 14[IKE] maximum IKE_SA lifetime 10727s
Mar 27 13:47:49 cgvf-ipsec charon: 14[KNL] unable to add policy
192.168.11.0/24 === 192.168.87.0/24 out
Mar 27 13:47:49 cgvf-ipsec charon: 14[KNL] unable to add policy
192.168.87.0/24 === 192.168.11.0/24 in
Mar 27 13:47:49 cgvf-ipsec charon: 14[KNL] unable to add policy
192.168.87.0/24 === 192.168.11.0/24 fwd
Mar 27 13:47:49 cgvf-ipsec charon: 14[IKE] unable to install IPsec
policies (SPD) in kernel
Mar 27 13:47:49 cgvf-ipsec charon: 14[IKE] failed to establish CHILD_SA,
keeping IKE_SA
Mar 27 13:47:49 cgvf-ipsec charon: 14[KNL] deleting policy
192.168.5.2/32 === 192.168.87.0/24 out failed, not found
Mar 27 13:47:49 cgvf-ipsec charon: 14[KNL] deleting policy
192.168.87.0/24 === 192.168.5.2/32 in failed, not found
Mar 27 13:47:49 cgvf-ipsec charon: 14[KNL] deleting policy
192.168.87.0/24 === 192.168.5.2/32 fwd failed, not found
Mar 27 13:47:49 cgvf-ipsec charon: 14[KNL] deleting policy
192.168.5.2/32 === 192.168.87.0/24 out failed, not found
Mar 27 13:47:49 cgvf-ipsec charon: 14[KNL] deleting policy
192.168.87.0/24 === 192.168.5.2/32 in failed, not found
Mar 27 13:47:49 cgvf-ipsec charon: 14[KNL] deleting policy
192.168.87.0/24 === 192.168.5.2/32 fwd failed, not found
Mar 27 13:47:49 cgvf-ipsec charon: 14[ENC] generating IKE_AUTH response
1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ]
Mar 27 13:47:49 cgvf-ipsec charon: 14[NET] sending packet: from
192.168.11.5[4500] to bb.bb.bb.242[4500]
Mar 27 13:47:59 cgvf-ipsec charon: 15[IKE] sending DPD request
Mar 27 13:47:59 cgvf-ipsec charon: 15[ENC] generating INFORMATIONAL
request 0 [ N(NATD_S_IP) N(NATD_D_IP) ]
Mar 27 13:47:59 cgvf-ipsec charon: 15[NET] sending packet: from
192.168.11.5[4500] to bb.bb.bb.242[4500]
Mar 27 13:47:59 cgvf-ipsec charon: 16[NET] received packet: from
bb.bb.bb.242[4500] to 192.168.11.5[4500]
Mar 27 13:47:59 cgvf-ipsec charon: 16[ENC] parsed INFORMATIONAL response
0 [ N(NATD_S_IP) N(NATD_D_IP) ]
Mar 27 13:48:09 cgvf-ipsec charon: 11[IKE] sending DPD request
Mar 27 13:48:09 cgvf-ipsec charon: 11[ENC] generating INFORMATIONAL
request 1 [ N(NATD_S_IP) N(NATD_D_IP) ]
Mar 27 13:48:09 cgvf-ipsec charon: 11[NET] sending packet: from
192.168.11.5[4500] to bb.bb.bb.242[4500]
Mar 27 13:48:09 cgvf-ipsec charon: 10[NET] received packet: from
bb.bb.bb.242[4500] to 192.168.11.5[4500]
Mar 27 13:48:09 cgvf-ipsec charon: 10[ENC] parsed INFORMATIONAL response
1 [ N(NATD_S_IP) N(NATD_D_IP) ]
client log:
Mar 27 13:44:06 ub-1204-lvm charon: 15[IKE] authentication of 'sunn'
with pre-shared key successful
Mar 27 13:44:06 ub-1204-lvm charon: 15[IKE] IKE_SA x244[1] established
between 172.16.93.188[moonn]...aa.aa.aa.244[sunn]
Mar 27 13:44:06 ub-1204-lvm charon: 15[IKE] scheduling reauthentication
in 9946s
Mar 27 13:44:06 ub-1204-lvm charon: 15[IKE] maximum IKE_SA lifetime 10486s
Mar 27 13:44:06 ub-1204-lvm charon: 15[IKE] CHILD_SA x244{1} established
with SPIs c764ec28_i c52c4498_o and TS 192.168.87.0/24 ===
192.168.11.0/24 192.168.5.2/32
Mar 27 13:44:06 ub-1204-lvm charon: 15[IKE] received AUTH_LIFETIME of
9886s, scheduling reauthentication in 9346s
Mar 27 13:44:06 ub-1204-lvm charon: 15[IKE] peer supports MOBIKE
Mar 27 13:44:16 ub-1204-lvm charon: 05[NET] received packet: from
aa.aa.aa.244[4500] to 172.16.93.188[4500]
Mar 27 13:44:16 ub-1204-lvm charon: 05[ENC] parsed INFORMATIONAL request
0 [ N(NATD_S_IP) N(NATD_D_IP) ]
Mar 27 13:44:16 ub-1204-lvm charon: 05[ENC] generating INFORMATIONAL
response 0 [ N(NATD_S_IP) N(NATD_D_IP) ]
Mar 27 13:44:16 ub-1204-lvm charon: 05[NET] sending packet: from
172.16.93.188[4500] to aa.aa.aa.244[4500]
Mar 27 13:44:26 ub-1204-lvm charon: 14[NET] received packet: from
aa.aa.aa.244[4500] to 172.16.93.188[4500]
Mar 27 13:44:26 ub-1204-lvm charon: 14[ENC] parsed INFORMATIONAL request
1 [ N(NATD_S_IP) N(NATD_D_IP) ]
Mar 27 13:44:26 ub-1204-lvm charon: 14[ENC] generating INFORMATIONAL
response 1 [ N(NATD_S_IP) N(NATD_D_IP) ]
Mar 27 13:44:26 ub-1204-lvm charon: 14[NET] sending packet: from
172.16.93.188[4500] to aa.aa.aa.244[4500]
Mar 27 13:45:04 ub-1204-lvm charon: 14[IKE] sending DPD request
Mar 27 13:45:04 ub-1204-lvm charon: 14[ENC] generating INFORMATIONAL
request 2 [ N(NATD_S_IP) N(NATD_D_IP) ]
Mar 27 13:45:04 ub-1204-lvm charon: 14[NET] sending packet: from
172.16.93.188[4500] to aa.aa.aa.244[4500]
Mar 27 13:45:08 ub-1204-lvm charon: 10[IKE] retransmit 1 of request with
message ID 2
Mar 27 13:45:08 ub-1204-lvm charon: 10[NET] sending packet: from
172.16.93.188[4500] to aa.aa.aa.244[4500]
Mar 27 13:45:15 ub-1204-lvm charon: 01[IKE] retransmit 2 of request with
message ID 2
Mar 27 13:45:15 ub-1204-lvm charon: 01[NET] sending packet: from
172.16.93.188[4500] to aa.aa.aa.244[4500]
Mar 27 13:45:28 ub-1204-lvm charon: 12[IKE] retransmit 3 of request with
message ID 2
Mar 27 13:45:28 ub-1204-lvm charon: 12[NET] sending packet: from
172.16.93.188[4500] to aa.aa.aa.244[4500]
Mar 27 13:45:52 ub-1204-lvm charon: 15[IKE] retransmit 4 of request with
message ID 2
Mar 27 13:45:52 ub-1204-lvm charon: 15[NET] sending packet: from
172.16.93.188[4500] to aa.aa.aa.244[4500]
#
# client can ping again
#
Mar 27 13:46:34 ub-1204-lvm charon: 15[IKE] retransmit 5 of request with
message ID 2
Mar 27 13:46:34 ub-1204-lvm charon: 15[NET] sending packet: from
172.16.93.188[4500] to aa.aa.aa.244[4500]
Mar 27 13:47:49 ub-1204-lvm charon: 12[IKE] giving up after 5 retransmits
#
# ping will stop
Mar 27 13:47:49 ub-1204-lvm charon: 12[IKE] restarting CHILD_SA x244
Mar 27 13:47:49 ub-1204-lvm charon: 12[IKE] initiating IKE_SA x244[2] to
aa.aa.aa.244
Mar 27 13:47:49 ub-1204-lvm charon: 12[ENC] generating IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Mar 27 13:47:49 ub-1204-lvm charon: 12[NET] sending packet: from
172.16.93.188[500] to aa.aa.aa.244[500]
Mar 27 13:47:49 ub-1204-lvm charon: 13[NET] received packet: from
aa.aa.aa.244[500] to 172.16.93.188[500]
Mar 27 13:47:49 ub-1204-lvm charon: 13[ENC] parsed IKE_SA_INIT response
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Mar 27 13:47:49 ub-1204-lvm charon: 13[IKE] local host is behind NAT,
sending keep alives
Mar 27 13:47:49 ub-1204-lvm charon: 13[IKE] remote host is behind NAT
Mar 27 13:47:49 ub-1204-lvm charon: 13[IKE] authentication of 'moonn'
(myself) with pre-shared key
Mar 27 13:47:49 ub-1204-lvm charon: 13[IKE] establishing CHILD_SA x244
Mar 27 13:47:49 ub-1204-lvm charon: 13[ENC] generating IKE_AUTH request
1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR)
N(MULT_AUTH) N(EAP_ONLY) ]
Mar 27 13:47:49 ub-1204-lvm charon: 13[NET] sending packet: from
172.16.93.188[4500] to aa.aa.aa.244[4500]
Mar 27 13:47:49 ub-1204-lvm charon: 14[NET] received packet: from
aa.aa.aa.244[4500] to 172.16.93.188[4500]
Mar 27 13:47:49 ub-1204-lvm charon: 14[ENC] parsed IKE_AUTH response 1 [
IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ]
Mar 27 13:47:49 ub-1204-lvm charon: 14[IKE] authentication of 'sunn'
with pre-shared key successful
Mar 27 13:47:49 ub-1204-lvm charon: 14[IKE] IKE_SA x244[2] established
between 172.16.93.188[moonn]...aa.aa.aa.244[sunn]
Mar 27 13:47:49 ub-1204-lvm charon: 14[IKE] scheduling reauthentication
in 10073s
Mar 27 13:47:49 ub-1204-lvm charon: 14[IKE] maximum IKE_SA lifetime 10613s
Mar 27 13:47:49 ub-1204-lvm charon: 14[IKE] received TS_UNACCEPTABLE
notify, no CHILD_SA built
Mar 27 13:47:49 ub-1204-lvm charon: 14[IKE] received AUTH_LIFETIME of
10187s, scheduling reauthentication in 9647s
Mar 27 13:47:49 ub-1204-lvm charon: 14[IKE] peer supports MOBIKE
Mar 27 13:47:59 ub-1204-lvm charon: 05[NET] received packet: from
aa.aa.aa.244[4500] to 172.16.93.188[4500]
Mar 27 13:47:59 ub-1204-lvm charon: 05[ENC] parsed INFORMATIONAL request
0 [ N(NATD_S_IP) N(NATD_D_IP) ]
Mar 27 13:47:59 ub-1204-lvm charon: 05[ENC] generating INFORMATIONAL
response 0 [ N(NATD_S_IP) N(NATD_D_IP) ]
Mar 27 13:47:59 ub-1204-lvm charon: 05[NET] sending packet: from
172.16.93.188[4500] to aa.aa.aa.244[4500]
Mar 27 13:48:09 ub-1204-lvm charon: 14[NET] received packet: from
aa.aa.aa.244[4500] to 172.16.93.188[4500]
Mar 27 13:48:09 ub-1204-lvm charon: 14[ENC] parsed INFORMATIONAL request
1 [ N(NATD_S_IP) N(NATD_D_IP) ]
Mar 27 13:48:09 ub-1204-lvm charon: 14[ENC] generating INFORMATIONAL
response 1 [ N(NATD_S_IP) N(NATD_D_IP) ]
Mar 27 13:48:09 ub-1204-lvm charon: 14[NET] sending packet: from
172.16.93.188[4500] to aa.aa.aa.244[4500]
Mar 27 13:48:19 ub-1204-lvm charon: 09[NET] received packet: from
aa.aa.aa.244[4500] to 172.16.93.188[4500]
Mar 27 13:48:19 ub-1204-lvm charon: 09[ENC] parsed INFORMATIONAL request
2 [ N(NATD_S_IP) N(NATD_D_IP) ]
Mar 27 13:48:19 ub-1204-lvm charon: 09[ENC] generating INFORMATIONAL
response 2 [ N(NATD_S_IP) N(NATD_D_IP) ]
Mar 27 13:48:19 ub-1204-lvm charon: 09[NET] sending packet: from
172.16.93.188[4500] to aa.aa.aa.244[4500]
Mar 27 13:48:29 ub-1204-lvm charon: 12[NET] received packet: from
aa.aa.aa.244[4500] to 172.16.93.188[4500]
More information about the Users
mailing list