[strongSwan] How is DPD meant to work?
Alan Ford
alan.ford at gmail.com
Wed Mar 12 00:47:07 CET 2014
Hi all,
I am using StrongSwan 5.1.1, and despite enabling DPD my SAs are not being
cleared. I am probably misunderstanding what DPD is for, so I am hoping
someone can clarify. Here's my scenario:
Two nodes, 10.0.0.1 and 10.0.0.2. Node 2 has the connection as auto=route
so is responsible for its creation (Node 1 is auto=add).
If I hard power-cycle Node 1, the SA remains until the Child SA rekeys. I
had thought I could get around this with DPD, so that it would detect Node
1 had no state for that connection and close it, thus triggering a
re-establishment. But this is not working, despite having did configured it
still waits until the Child SA rekeys naturally.
Shortly before this, the ipsec statusall looked like this:
node-10.0.0.1: 10.0.0.2...10.0.0.1 IKEv1/2, dpddelay=30s
node-10.0.0.1: local: [10.0.0.2] uses public key authentication
node-10.0.0.1: cert: "C=UK, ST=Berkshire, L=Reading, O=Pexip, CN=
worker1.rd.pexip.com"
node-10.0.0.1: remote: [10.0.0.1] uses public key authentication
node-10.0.0.1: child: dynamic === dynamic TRANSPORT, dpdaction=clear
Routed Connections:
node-10.0.0.1{1}: ROUTED, TRANSPORT
node-10.0.0.1{1}: 10.0.0.2/32 === 10.0.0.1/32
Security Associations (1 up, 0 connecting):
node-10.0.0.1[1]: ESTABLISHED 37 minutes ago,
10.0.0.2[10.0.0.2]...10.0.0.1[10.0.0.1]
node-10.0.0.1[1]: IKEv2 SPIs: 9863a6900108aca4_i* 4ef81353c656500c_r,
rekeying in 2 hours
node-10.0.0.1[1]: IKE proposal:
AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096
node-10.0.0.1{1}: INSTALLED, TRANSPORT, ESP SPIs: ce050f88_i c5e9f676_o
node-10.0.0.1{1}: AES_CBC_256/HMAC_SHA2_512_256, 401578 bytes_i (1200
pkts, 2201s ago), 1699348 bytes_o (5270 pkts, 1s ago), rekeying in 4 minutes
node-10.0.0.1{1}: 10.0.0.2/32 === 10.0.0.1/32
My ipsec.conf reads on Node 1:
config setup
conn %default
left=10.0.0.1
leftcert=cert.pem
rightca=%same
reauth=no
type=transport
mobike=no
ike=aes256-sha512-modp4096!
esp=aes256-sha512-modp4096!
keyingtries=%forever
dpdaction=clear
dpddelay=30s
dpdtimeout=120s
conn node-10.0.0.2
right=10.0.0.2
auto=add
And on Node 2 it's auto=route pointing to 10.0.0.1 but otherwise the same.
A tcpdump showed no IKE INFORMATIONAL messages being sent from Node 2. No
charon logs in syslog existed in this time either. Can anybody please help
me understand why DPD is not probing here? Or do I need some other setting?
Thanks in advance,
Alan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140311/750ff9df/attachment-0001.html>
More information about the Users
mailing list