[strongSwan] fail to send DPD

Bingzheng Wu wubingzheng at gmail.com
Tue Aug 9 15:11:20 CEST 2016


Hi all

I have 2 IPSEC servers and 2 clients.
Both 2 clients connect to both servers, so there are 4 sessions.

Some days ago, the network of the servers' IDC broke for several minutes.
Then the 2 servers send DPD messages to clients.
The clients received them and replied, but servers did not received the
replies.
Then the 2 servers shutdown the sessions.
So far so good.

However, the 2 clients still thought the sessions are good, and did not
send any DPD messages.

So there were mis-match between the servers and clients.

Any one know the possible reason?


Thanks in advance
Wu


===configure of servers:===
  config setup

  conn listen-xxx
    right=%any
    auto=add
    leftcert=cert.pem
    rightca="CN=test-CA"
    type=transport
    keyexchange=ikev2
    esp=aes128gcm12,aes128-sha1
    ikelifetime=365d
    lifetime=1d
    dpdaction=clear

===configure of clients:===
  config setup

  conn %default
    leftcert=cert.pem
    rightca="CN=test-CA"
    type=transport
    keyexchange=ikev2
    esp=aes128gcm12,aes128-sha1
    ikelifetime=365d
    lifetime=1d
    auto=start
    dpdaction=restart
    closeaction=restart
    keyingtries=%forever

  conn xxx1
    right=1.2.3.5
    rightid="CN=xxx1"
  conn xxx2
    right=1.2.3.4
    rightid="CN=xxx2"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160809/7229326c/attachment.html>


More information about the Users mailing list