[strongSwan] StrongSwan not responding to DPD messages when modeconfig=push.

chaitanya vinnakota chaitanya.sai.v at gmail.com
Wed Oct 19 09:26:12 CEST 2016 

Hi All,

We are trying to establish a connection between Shrew Soft VPN Client
and Strong Swan 5.3.0 server .  The Strong Swan server is not
configured with any IP Pool and therefore the Shrew-Soft VPN client
proposes an IP address to strongswan to assign it back to the
client.The IKEv1 Phase 1 and Phase 2 went well and the server assigned
the request IP by the client.

However , the connection was up only for about 30 seconds and later it
got terminated by the Shrew-Soft client as the Strongswan server was
not responding to the DPD messages sent by the vpn client.  Strongswan
 queued all the 6 received  DPD requests, but did'nt respond even to
one message. As a result of this, vpn client sent DELETE payload
message and eventually the connection was brought down by the
strongswan after honoring the DELETE payload request.

Below is the excerpt from the messages displayed by strongswan:-


Sep 24 12:58:52 router6654A1 charon:<info> 13[IKE] queueing ISAKMP_DPD task
Sep 24 12:58:52 router6654A1 charon:<info> 13[IKE] delaying task
initiation, TRANSACTION exchange in progress
Sep 24 12:58:54 router6654A1 charon:<info> 12[NET] received packet:
from 44.44.44.2[500] to 44.44.44.1[500] (84 bytes)
Sep 24 12:58:54 router6654A1 charon:<info> 12[ENC] parsed
INFORMATIONAL_V1 request 3103766190 [ HASH N(DPD) ]
Sep 24 12:58:54 router6654A1 charon:<info> 12[IKE] queueing ISAKMP_DPD task
Sep 24 12:58:54 router6654A1 charon:<info> 12[IKE] delaying task
initiation, TRANSACTION exchange in progress
Sep 24 12:58:55 router6654A1 charon:<info> 07[KNL] querying SAD entry
with SPI cc9487a6
Sep 24 12:58:56 router6654A1 charon:<info> 01[NET] received packet:
from 44.44.44.2[500] to 44.44.44.1[500] (68 bytes)
Sep 24 12:58:56 router6654A1 charon:<info> 01[ENC] parsed
INFORMATIONAL_V1 request 806565993 [ HASH D ]
Sep 24 12:58:56 router6654A1 charon:<info> 01[IKE] received DELETE for
ESP CHILD_SA with SPI ac159eb3
Sep 24 12:58:56 router6654A1 charon:<info> 01[KNL] querying SAD entry
with SPI cc9487a6
Sep 24 12:58:56 router6654A1 charon:<info> 01[KNL] querying SAD entry
with SPI ac159eb3
Sep 24 12:58:56 router6654A1 charon:<info> 01[IKE] closing CHILD_SA
c2s_ShrewSoftSrv{42} with SPIs cc9487a6_i (0 bytes) ac159eb3_o (0
bytes) and TS 0.0.0.0/0 === 10.0.0.1/32
Sep 24 12:58:56 router6654A1 charon:<info> Last message '01[IKE]
closing CHIL' repeated 1 times, supressed by syslog-ng on router6654A1


Below is the strongswan configuration

conn c2s_ShrewSoftSrv
        auto=add
        left=44.44.44.1
        right=44.44.44.2
        aggressive=yes
        leftauth=psk
        rightauth=psk
        leftid=44.44.44.1
        rightid=44.44.44.2
        ike=3des-sha1-modp1024!
        ikelifetime=28800s
        esp=3des-sha1!
        lifetime=3600s
        rekeymargin=180s
        dpddelay=40
        dpdtimeout=120
        dpdaction=clear
        rightsourceip=111.0.0.10-111.0.0.100
        modeconfig=pull
        leftsubnet=0.0.0.0/0
        rightauth2=xauth
        xauth=server
        rightdns=192.168.1.1

Thanks
Chaitanya

More information about the Users mailing list