[strongSwan] dpd and INFORMATIONAL requests

Tiago Vasconcelos tiago.o.vasconcelos at gmail.com
Thu Apr 24 17:54:32 CEST 2014


Hello Noel

That is a reasonable explanation. In fact, there is a constant traffic 
flow between the hosts whose logs don't contain DPD requests!
I'll assume DPD is working as expected.

Thank you,
Tiago


On 23/04/14 17:32, Noel Kuntze wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello Tiago,
>
> - From "man ipsec.conf":
>         dpddelay = 30s | <time>
>                defines  the  period  time  interval with which R_U_THERE messages/INFORMATIONAL exchanges are sent to the peer. These are
>                only sent if no other traffic is received. In IKEv2, a value of 0 sends no additional INFORMATIONAL messages and uses only
>                standard messages (such as those to rekey) to detect dead peers.
>
> Did you make sure, that no other traffic is flowing? dpd requests are only sent, if no packet was received in the configured time frame.
> On my installation between two strongSwan 5.1.3 peers, I get dpd actions, if there is no IPsec traffic between the two hosts for the set time frame.
>
> Regards,
> Noel Kuntze
>
> GPG Key id: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 23.04.2014 18:24, schrieb Tiago Vasconcelos:
>> Hi Noel
>>
>> That's exactly what I get when, on the other end of the tunnel, is a strongSwan 4.x:
>>
>> 15[IKE] sending DPD request
>> 15[ENC] generating INFORMATIONAL request 7 [ ]
>> 15[NET] sending packet: from foo[4500] to bar[3474] (76 bytes)
>> 04[NET] received packet: from bar[3474] to foo[4500] (76 bytes)
>> 04[ENC] parsed INFORMATIONAL response 7 [ ]
>>
>> This happens even when 'foo' is running strongSwan 5.1.1
>>
>> But when both 'foo' and 'bar' are running strongSwan 5.1.1, I see no DPD or INFORMATIONAL requests in the logs at all... Any idea why?
>>
>>
>> Regards,
>> Tiago
>>
>>
>>
>> On 23/04/14 16:39, Noel Kuntze wrote:
>> Hello Tiago,
>>
>> Something along the following should appear in the log:
>>
>> 13[IKE] sending DPD request
>> 13[NET] sending packet: from foo[4500] to bar[4500] (92 bytes)
>> 12[NET] received packet: from bar[4500] to foo[4500] (92 bytes)
>>
>> net and ike are both set to log level 1.
>>
>> Regards,
>> Noel kuntze
>>
>> GPG Key id: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>> Am 23.04.2014 17:12, schrieb Tiago Vasconcelos:
>>>>> I've enabled dpd by adding the following lines to the conn %default section of ipsec.conf:
>>>>>
>>>>>           dpdaction=restart
>>>>>           dpddelay=10
>>>>>
>>>>>
>>>>> Judging from the output of 'ipsec statusall' I presume dpd is set:
>>>>>
>>>>> ut01: child:  10.12.0.0/15 === 10.14.0.0/15 TUNNEL, dpdaction=restart
>>>>>
>>>>>
>>>>> But in the logs, I don't see any INFORMATIONAL requests being generated or received from the other strongSwan hosts running 5.1.1:
>>>>>
>>>>>      charon: [info] 15[ENC] generating INFORMATIONAL request 7 [ ]
>>>>>      ...
>>>>>      charon: [info] 04[ENC] parsed INFORMATIONAL response 7 [ ]
>>>>>
>>>>> I only see INFORMATIONAL messages to/from hosts running 4.5 and 4.6.
>>>>> How can I check whether dpd is actually working?
>>>>> I'm using IKEv2, by the way.
>>>>>
>>>>>
>>>>> --
>>>>> Tiago
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.strongswan.org
>>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBAgAGBQJTV+sGAAoJEDg5KY9j7GZYYyEP/3L8mdJwS6DG7vXcOIjMcLn9
> XfqXr+yLsmZ0sAt71a3ZZqT61ph93FqkpkgrGauPCOSMZKSHgqAnP0VNmZrRfg7E
> /qZ1FG825js5vkgewlfA1H22AL2m7+euWg1tZ+anOpUcgWZDb0LCjxtZ+DEAJpCs
> ApDXPg7vlUVhb2FY8eoTSXKtqxZss+Ee00kOJUs2XF2EjLi3agKyPaMvZ//BrW+h
> e4AT0nO3KY+jfpxM+BZXZltrFFXJNq0Q/Gq96PqnOOKVCXD6MtgKuJ+6sAZaZqSL
> Qpg8iLYncH+CkcUTixAexcSkJbwFKbKNzvr3PsggVk2nZeOcV1LutkQPro3xJq9u
> Ly87c6pS7Gm7AR3DAnz7Mm8x0oodo7xz8VwQGpdcyzYnI2vmiMVsPjWxlncW6Jnf
> 8w53jT+guTqfFqmt/rwwRz4flClSr2hmyXwSt6iX4isZeBfB1BXTrvtgNaQA62TL
> mT/zNuL9Z1Fpc7cIuxA1Qga07Z9kVY/Nue0H6S6SgxYBl5UVVea0lJX90DLUaulV
> RTl3MFC8KLs1YYj9GxHBAi7G9DwapKcjh0eNvzIYu5D5soKT3PDJuIveybtSivn8
> qElC13ps+bXdFyKYfCMlTrBNPOIeCIiUuP+P8Q3dOW+pzuAtLILT49QffLrphoxP
> zGdxAy7jlhTOOBMy6603
> =E+6d
> -----END PGP SIGNATURE-----
>




More information about the Users mailing list