[strongSwan] dpd not getting triggered

Fri Jan 12 10:15:35 CET 2018

Hi Kalyani,

strongSwan uses NAT detection payloads in INFORMATIONAL messages with
RFC 4555 MOBIKE which is enabled by default. See

  https://tools.ietf.org/html/rfc4555#section-3.8

Regards

Andreas

On 12.01.2018 07:16, Kalyani Garigipati (kagarigi) wrote:
> Hi,
> 
>  
> 
> Thanks a lot for the reply. It worked. I see the dpd triggering now.
> 
>  
> 
> I am working on a case when dpd from strongswan sends the nat detection
> payloads.
> 
> I wanted to know upon which conditions strongswan would send dpd request
> with nat_detection_src_ip and nat_detection_dst_ip.
> 
>  
> 
> Is it done only in specific case like when strongswan is behind the nat
> ? and strongswan is in remote-access-client ?
> 
>  
> 
> Regards,
> 
> kalyani
> 
>  
> 
> *From:*bls s [mailto:blscl at outlook.com]
> *Sent:* Friday, January 12, 2018 6:40 AM
> *To:* Kalyani Garigipati (kagarigi) <kagarigi at cisco.com>;
> users at lists.strongswan.org
> *Subject:* RE: [strongSwan] dpd not getting triggered
> 
>  
> 
> By default dpdaction=none, which disables sending dpd messages.
> 
>  
> 
> *From: *Kalyani Garigipati (kagarigi) <mailto:kagarigi at cisco.com>
> *Sent: *Thursday, January 11, 2018 10:47 AM
> *To: *users at lists.strongswan.org <mailto:users at lists.strongswan.org>
> *Subject: *[strongSwan] dpd not getting triggered
> 
>  
> 
> Hi,
> 
> I am using strongswan version 5.6.1
> I found that even though I configured dpd using dpddelay and dpdtimeout,
> dpd is not getting triggered from strongswan client at all even though
> there is no traffic passing.
> Please let me know how to debug this.
> 
> 
> config setup
>          charondebug=all
>         # crlcheckinterval=600
>         # strictcrlpolicy=yes
>         # cachecrls=yes
>         # nat_traversal=yes
>         # charonstart=no
> 
> conn %default
>        ikelifetime=100m
>        keylife=20m
>        rekeymargin=8m
>        keyingtries=1
>        authby=psk
>        keyexchange=ikev2
>        ike=aes256-sha256-modp1024
>        esp=3des-sha1
>        mobike=yes
>        dpddelay=5s
>        dpdtimeout=150s
> 
> # Add connections here.
> 
> # Add connections here.
> conn net-net
>         left=10.127.47.104
>         leftsubnet=10.127.47.104/32
>         leftid=10.127.47.104
>         right=10.104.108.110
>         rightsubnet=10.104.108.110/32
>         rightid=10.104.108.110
>         auto=start
> 
> ~
> Regards,
> kalyani
> 

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2945 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180112/48a24b85/attachment.bin>