[strongSwan] How is DPD meant to work?

Alan Ford alan.ford at gmail.com
Wed Mar 12 00:47:07 CET 2014 

Hi all,

I am using StrongSwan 5.1.1, and despite enabling DPD my SAs are not being
cleared. I am probably misunderstanding what DPD is for, so I am hoping
someone can clarify. Here's my scenario:

Two nodes, 10.0.0.1 and 10.0.0.2. Node 2 has the connection as auto=route
so is responsible for its creation (Node 1 is auto=add).

If I hard power-cycle Node 1, the SA remains until the Child SA rekeys. I
had thought I could get around this with DPD, so that it would detect Node
1 had no state for that connection and close it, thus triggering a
re-establishment. But this is not working, despite having did configured it
still waits until the Child SA rekeys naturally.

Shortly before this, the ipsec statusall looked like this:

node-10.0.0.1:  10.0.0.2...10.0.0.1  IKEv1/2, dpddelay=30s

node-10.0.0.1:   local:  [10.0.0.2] uses public key authentication

node-10.0.0.1:    cert:  "C=UK, ST=Berkshire, L=Reading, O=Pexip, CN=
worker1.rd.pexip.com"

node-10.0.0.1:   remote: [10.0.0.1] uses public key authentication

node-10.0.0.1:   child:  dynamic === dynamic TRANSPORT, dpdaction=clear

Routed Connections:

node-10.0.0.1{1}:  ROUTED, TRANSPORT

node-10.0.0.1{1}:   10.0.0.2/32 === 10.0.0.1/32

Security Associations (1 up, 0 connecting):

node-10.0.0.1[1]: ESTABLISHED 37 minutes ago,
10.0.0.2[10.0.0.2]...10.0.0.1[10.0.0.1]

node-10.0.0.1[1]: IKEv2 SPIs: 9863a6900108aca4_i* 4ef81353c656500c_r,
rekeying in 2 hours

node-10.0.0.1[1]: IKE proposal:
AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096

node-10.0.0.1{1}:  INSTALLED, TRANSPORT, ESP SPIs: ce050f88_i c5e9f676_o

node-10.0.0.1{1}:  AES_CBC_256/HMAC_SHA2_512_256, 401578 bytes_i (1200
pkts, 2201s ago), 1699348 bytes_o (5270 pkts, 1s ago), rekeying in 4 minutes

node-10.0.0.1{1}:   10.0.0.2/32 === 10.0.0.1/32

My ipsec.conf reads on Node 1:

config setup


conn %default

    left=10.0.0.1

    leftcert=cert.pem

    rightca=%same

    reauth=no

    type=transport

    mobike=no

    ike=aes256-sha512-modp4096!

    esp=aes256-sha512-modp4096!

    keyingtries=%forever

    dpdaction=clear

    dpddelay=30s

    dpdtimeout=120s



conn node-10.0.0.2

    right=10.0.0.2

    auto=add


And on Node 2 it's auto=route pointing to 10.0.0.1 but otherwise the same.

A tcpdump showed no IKE INFORMATIONAL messages being sent from Node 2. No
charon logs in syslog existed in this time either. Can anybody please help
me understand why DPD is not probing here? Or do I need some other setting?

Thanks in advance,
Alan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140311/750ff9df/attachment-0001.html>

More information about the Users mailing list