[strongSwan] dpd not getting triggered

Kalyani Garigipati (kagarigi) kagarigi at cisco.com
Sun Jan 14 18:12:18 CET 2018


Hi,

Could someone reply on this please

Regards,
Kalyani

-----Original Message-----
From: Users [mailto:users-bounces at lists.strongswan.org] On Behalf Of Kalyani Garigipati (kagarigi)
Sent: Friday, January 12, 2018 5:22 PM
To: Andreas Steffen <andreas.steffen at strongswan.org>; bls s <blscl at outlook.com>; users at lists.strongswan.org
Subject: Re: [strongSwan] dpd not getting triggered

Hi Andreas,

Sorry the message came unformatted.

Basically the message is going without nat payloads

generating INFORMATIONAL request 3 []

please let me know if I have to enable something. I already enabled mobike.

regards,
kalyani




-----Original Message-----
From: Users [mailto:users-bounces at lists.strongswan.org] On Behalf Of Kalyani Garigipati (kagarigi)
Sent: Friday, January 12, 2018 4:14 PM
To: Andreas Steffen <andreas.steffen at strongswan.org>; bls s <blscl at outlook.com>; users at lists.strongswan.org
Subject: Re: [strongSwan] dpd not getting triggered

Hi Andreas,

But I observed that even though I enabled mobike, dpd is not sending the NAT detection payload.

Below are the logs. I am using strongswan-5.6.1

charon: 08[NET] sending packet: from 10.127.47.104[500] to 10.104.108.110[500] (524 bytes) Jan 12 08:34:10 strongswan charon: 10[NET] received packet: from 10.104.108.110[500] to 10.127.47.104[500] (471 bytes) Jan 12 08:34:10 strongswan charon: 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) V ] Jan 12 08:34:10 strongswan charon: 10[IKE] received Cisco Delete Reason vendor ID Jan 12 08:34:10 strongswan charon: 10[IKE] received Cisco Copyright (c) 2009 vendor ID Jan 12 08:34:10 strongswan charon: 10[IKE] received FRAGMENTATION vendor ID Jan 12 08:34:10 strongswan charon: 10[IKE] received 1 cert requests for an unknown ca Jan 12 08:34:10 strongswan charon: 10[IKE] sending cert request for "C=US, O=Cisco, CN=BrianMojaveRoot.cisco.com, CN=BrianMojaveRoot.cisco.com"
Jan 12 08:34:10 strongswan charon: 10[IKE] authentication of '10.127.47.104' (myself) with pre-shared key Jan 12 08:34:10 strongswan charon: 10[IKE] establishing CHILD_SA net-net{1} Jan 12 08:34:10 strongswan charon: 10[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] Jan 12 08:34:10 strongswan charon: 10[NET] sending packet: from 10.127.47.104[4500] to 10.104.108.110[4500] (528 bytes) Jan 12 08:34:10 strongswan charon: 11[NET] received packet: from 10.104.108.110[4500] to 10.127.47.104[4500] (256 bytes) Jan 12 08:34:10 strongswan charon: 11[ENC] parsed IKE_AUTH response 1 [ V IDr AUTH SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) N(MOBIKE_SUP) ] Jan 12 08:34:10 strongswan charon: 11[IKE] authentication of '10.104.108.110' with pre-shared key successful Jan 12 08:34:10 strongswan charon: 11[IKE] IKE_SA net-net[1] established between 10.127.47.104[10.127.47.104]...10.104.108.110[10.104.108.110]
Jan 12 08:34:10 strongswan charon: 11[IKE] scheduling reauthentication in 5093s Jan 12 08:34:10 strongswan charon: 11[IKE] maximum IKE_SA lifetime 5573s Jan 12 08:34:10 strongswan charon: 11[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Jan 12 08:34:10 strongswan charon: 11[IKE] CHILD_SA net-net{1} established with SPIs c6fbf7d4_i 775e9cde_o and TS 10.127.47.104/32 === 10.104.108.110/32 Jan 12 08:34:10 strongswan charon: 11[IKE] peer supports MOBIKE Jan 12 08:34:15 strongswan charon: 06[IKE] sending DPD request Jan 12 08:34:15 strongswan charon: 06[ENC] generating INFORMATIONAL request 2 [ ] Jan 12 08:34:15 strongswan charon: 06[NET] sending packet: from 10.127.47.104[4500] to 10.104.108.110[4500] (80 bytes) Jan 12 08:34:15 strongswan charon: 15[NET] received packet: from 10.104.108.110[4500] to 10.127.47.104[4500] (80 bytes) Jan 12 08:34:15 strongswan charon: 15[ENC] parsed INFORMATIONAL response 2 [ ] Jan 12 08:34:20 strongswan charon: 05[IKE] sending DPD request Jan 12 08:34:20 strongswan charon: 05[ENC] generating INFORMATIONAL request 3 [ ] Jan 12 08:34:20 strongswan charon: 05[NET] sending packet: from 10.127.47.104[4500] to 10.104.108.110[4500] (80 bytes) Jan 12 08:34:20 strongswan charon: 07[NET] received packet: from 10.104.108.110[4500] to 10.127.47.104[4500] (80 bytes) Jan 12 08:34:20 strongswan charon: 07[ENC] parsed INFORMATIONAL response 3 [ ]

Regards,
Kalyani

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
Sent: Friday, January 12, 2018 2:46 PM
To: Kalyani Garigipati (kagarigi) <kagarigi at cisco.com>; bls s <blscl at outlook.com>; users at lists.strongswan.org
Subject: Re: [strongSwan] dpd not getting triggered

Hi Kalyani,

strongSwan uses NAT detection payloads in INFORMATIONAL messages with RFC 4555 MOBIKE which is enabled by default. See

  https://tools.ietf.org/html/rfc4555#section-3.8

Regards

Andreas

On 12.01.2018 07:16, Kalyani Garigipati (kagarigi) wrote:
> Hi,
> 
>  
> 
> Thanks a lot for the reply. It worked. I see the dpd triggering now.
> 
>  
> 
> I am working on a case when dpd from strongswan sends the nat 
> detection payloads.
> 
> I wanted to know upon which conditions strongswan would send dpd 
> request with nat_detection_src_ip and nat_detection_dst_ip.
> 
>  
> 
> Is it done only in specific case like when strongswan is behind the 
> nat ? and strongswan is in remote-access-client ?
> 
>  
> 
> Regards,
> 
> kalyani
> 
>  
> 
> *From:*bls s [mailto:blscl at outlook.com]
> *Sent:* Friday, January 12, 2018 6:40 AM
> *To:* Kalyani Garigipati (kagarigi) <kagarigi at cisco.com>; 
> users at lists.strongswan.org
> *Subject:* RE: [strongSwan] dpd not getting triggered
> 
>  
> 
> By default dpdaction=none, which disables sending dpd messages.
> 
>  
> 
> *From: *Kalyani Garigipati (kagarigi) <mailto:kagarigi at cisco.com>
> *Sent: *Thursday, January 11, 2018 10:47 AM
> *To: *users at lists.strongswan.org <mailto:users at lists.strongswan.org>
> *Subject: *[strongSwan] dpd not getting triggered
> 
>  
> 
> Hi,
> 
> I am using strongswan version 5.6.1
> I found that even though I configured dpd using dpddelay and 
> dpdtimeout, dpd is not getting triggered from strongswan client at all 
> even though there is no traffic passing.
> Please let me know how to debug this.
> 
> 
> config setup
>          charondebug=all
>         # crlcheckinterval=600
>         # strictcrlpolicy=yes
>         # cachecrls=yes
>         # nat_traversal=yes
>         # charonstart=no
> 
> conn %default
>        ikelifetime=100m
>        keylife=20m
>        rekeymargin=8m
>        keyingtries=1
>        authby=psk
>        keyexchange=ikev2
>        ike=aes256-sha256-modp1024
>        esp=3des-sha1
>        mobike=yes
>        dpddelay=5s
>        dpdtimeout=150s
> 
> # Add connections here.
> 
> # Add connections here.
> conn net-net
>         left=10.127.47.104
>         leftsubnet=10.127.47.104/32
>         leftid=10.127.47.104
>         right=10.104.108.110
>         rightsubnet=10.104.108.110/32
>         rightid=10.104.108.110
>         auto=start
> 
> ~
> Regards,
> kalyani
> 

--
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==



More information about the Users mailing list