[strongSwan] DPD issues when using multiple interfaces to same Gateway

Modster, Anthony Anthony.Modster at Teledyne.com
Sat Apr 22 00:55:06 CEST 2017


Hello Tobias
See below

-----Original Message-----
From: Tobias Brunner [mailto:tobias at strongswan.org] 
Sent: Friday, April 21, 2017 11:34 AM
To: Modster, Anthony <Anthony.Modster at Teledyne.com>; Marc Obbad <marc.obbad at gmail.com>; Users at lists.strongswan.org
Subject: Re: [strongSwan] DPD issues when using multiple interfaces to same Gateway

Hi Anthony,

>> 1- Are DPD rules apply  to individual tunnels? If one tunnel cannot 
>> communicate with  the Gateway but other are, what happen if DPD timer 
>> expires in only one of them?
> 
> Yes, they apply to each IKE_SA individually.
> A.M. DpdAction=clear, and multiple interfaces, after one DPD timer expires, it may not clear.
> If DpdAction=clear, and single interface, after DPD timer expires, it does clear.

So what happens instead?  Please post some logs that show this difference in behavior (and the config that goes with it).

>> 2- When we set DPD action as restart, do we need to terminate  the 
>> current IKE after DPD timer expires or it is done automatically?
> 
> The SA will be automatically restarted.
> A.M. after the restart and the interface comes back up, the tunnel indicates ESTABLISHED, but is not useable.

What makes it unusable?  Are routes missing?  Firewall rules?  Policies or SAs in the kernel?

A.M.1
We moved are interfaces to different subnets and are able to use DpdAction=restart, and the tunnel recovers on reconnection (but only if the reconnection occurs after the dpd timeout).
If the reconnection occurs during the initial dpd timeout period (using the same connection as the disconnect), the tunnel comes up, but is not usable.
The log indicates that the DPD requests are sent and received

note: ping indicates
root at wglng-6:~# ping -I 20.20.220.26 40.40.40.15
PING 40.40.40.15 (40.40.40.15) from 20.20.220.26: 56 data bytes
ping: can't set multicast source interface

Below is ping test, before the disconnect
root at wglng-6:~# ping -I 20.20.220.26 40.40.40.15
PING 40.40.40.15 (40.40.40.15) from 20.20.220.46: 56 data bytes
64 bytes from 40.40.40.15: seq=0 ttl=128 time=24.577 ms
64 bytes from 40.40.40.15: seq=1 ttl=128 time=23.270 ms
64 bytes from 40.40.40.15: seq=2 ttl=128 time=22.911 ms
64 bytes from 40.40.40.15: seq=3 ttl=128 time=50.389 ms
64 bytes from 40.40.40.15: seq=4 ttl=128 time=35.077 ms
64 bytes from 40.40.40.15: seq=5 ttl=128 time=33.284 ms

--- 40.40.40.15 ping statistics ---
6 packets transmitted, 6 packets received, 0% packet loss
round-trip min/avg/max = 22.911/31.584/50.389 ms

Regards,
Tobias

-------------- next part --------------
A non-text attachment was scrubbed...
Name: security_edit.log
Type: application/octet-stream
Size: 80517 bytes
Desc: security_edit.log
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170421/bae7f29d/attachment-0001.obj>


More information about the Users mailing list