[strongSwan] dpd and INFORMATIONAL requests

Noel Kuntze noel at familie-kuntze.de
Wed Apr 23 18:32:07 CEST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Tiago,

- From "man ipsec.conf":
       dpddelay = 30s | <time>
              defines  the  period  time  interval with which R_U_THERE messages/INFORMATIONAL exchanges are sent to the peer. These are
              only sent if no other traffic is received. In IKEv2, a value of 0 sends no additional INFORMATIONAL messages and uses only
              standard messages (such as those to rekey) to detect dead peers.

Did you make sure, that no other traffic is flowing? dpd requests are only sent, if no packet was received in the configured time frame.
On my installation between two strongSwan 5.1.3 peers, I get dpd actions, if there is no IPsec traffic between the two hosts for the set time frame.

Regards,
Noel Kuntze

GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 23.04.2014 18:24, schrieb Tiago Vasconcelos:
> Hi Noel
> 
> That's exactly what I get when, on the other end of the tunnel, is a strongSwan 4.x:
> 
> 15[IKE] sending DPD request
> 15[ENC] generating INFORMATIONAL request 7 [ ]
> 15[NET] sending packet: from foo[4500] to bar[3474] (76 bytes)
> 04[NET] received packet: from bar[3474] to foo[4500] (76 bytes)
> 04[ENC] parsed INFORMATIONAL response 7 [ ]
> 
> This happens even when 'foo' is running strongSwan 5.1.1
> 
> But when both 'foo' and 'bar' are running strongSwan 5.1.1, I see no DPD or INFORMATIONAL requests in the logs at all... Any idea why?
> 
> 
> Regards,
> Tiago
> 
> 
> 
> On 23/04/14 16:39, Noel Kuntze wrote:
> Hello Tiago,
> 
> Something along the following should appear in the log:
> 
> 13[IKE] sending DPD request
> 13[NET] sending packet: from foo[4500] to bar[4500] (92 bytes)
> 12[NET] received packet: from bar[4500] to foo[4500] (92 bytes)
> 
> net and ike are both set to log level 1.
> 
> Regards,
> Noel kuntze
> 
> GPG Key id: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> 
> Am 23.04.2014 17:12, schrieb Tiago Vasconcelos:
>>>> I've enabled dpd by adding the following lines to the conn %default section of ipsec.conf:
>>>>
>>>>          dpdaction=restart
>>>>          dpddelay=10
>>>>
>>>>
>>>> Judging from the output of 'ipsec statusall' I presume dpd is set:
>>>>
>>>> ut01: child:  10.12.0.0/15 === 10.14.0.0/15 TUNNEL, dpdaction=restart
>>>>
>>>>
>>>> But in the logs, I don't see any INFORMATIONAL requests being generated or received from the other strongSwan hosts running 5.1.1:
>>>>
>>>>     charon: [info] 15[ENC] generating INFORMATIONAL request 7 [ ]
>>>>     ...
>>>>     charon: [info] 04[ENC] parsed INFORMATIONAL response 7 [ ]
>>>>
>>>> I only see INFORMATIONAL messages to/from hosts running 4.5 and 4.6.
>>>> How can I check whether dpd is actually working?
>>>> I'm using IKEv2, by the way.
>>>>
>>>>
>>>> -- 
>>>> Tiago
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.strongswan.org
>>>> https://lists.strongswan.org/mailman/listinfo/users
>>
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTV+sGAAoJEDg5KY9j7GZYYyEP/3L8mdJwS6DG7vXcOIjMcLn9
XfqXr+yLsmZ0sAt71a3ZZqT61ph93FqkpkgrGauPCOSMZKSHgqAnP0VNmZrRfg7E
/qZ1FG825js5vkgewlfA1H22AL2m7+euWg1tZ+anOpUcgWZDb0LCjxtZ+DEAJpCs
ApDXPg7vlUVhb2FY8eoTSXKtqxZss+Ee00kOJUs2XF2EjLi3agKyPaMvZ//BrW+h
e4AT0nO3KY+jfpxM+BZXZltrFFXJNq0Q/Gq96PqnOOKVCXD6MtgKuJ+6sAZaZqSL
Qpg8iLYncH+CkcUTixAexcSkJbwFKbKNzvr3PsggVk2nZeOcV1LutkQPro3xJq9u
Ly87c6pS7Gm7AR3DAnz7Mm8x0oodo7xz8VwQGpdcyzYnI2vmiMVsPjWxlncW6Jnf
8w53jT+guTqfFqmt/rwwRz4flClSr2hmyXwSt6iX4isZeBfB1BXTrvtgNaQA62TL
mT/zNuL9Z1Fpc7cIuxA1Qga07Z9kVY/Nue0H6S6SgxYBl5UVVea0lJX90DLUaulV
RTl3MFC8KLs1YYj9GxHBAi7G9DwapKcjh0eNvzIYu5D5soKT3PDJuIveybtSivn8
qElC13ps+bXdFyKYfCMlTrBNPOIeCIiUuP+P8Q3dOW+pzuAtLILT49QffLrphoxP
zGdxAy7jlhTOOBMy6603
=E+6d
-----END PGP SIGNATURE-----

More information about the Users mailing list