[strongSwan] dpd not getting triggered

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Mon Jan 15 19:05:18 CET 2018


OOps!!!....my comments are completely in the wrong context...and do not
really apply....please forgive me...sorry for this



On Mon, Jan 15, 2018 at 11:26 PM, Rajiv Kulkarni <rajivkulkarni69 at gmail.com>
wrote:

> Hi
>
>
> Are these below not dpd-keepalive informational messages?....i think
> dpd-keepalive is being exchanged between the peers...
>
> =========================
> 1[IKE] peer supports MOBIKE Jan 12 08:34:15 strongswan charon: 06[IKE]
> sending DPD request Jan 12 08:34:15 strongswan charon: 06[ENC] generating
> INFORMATIONAL request 2 [ ] Jan 12 08:34:15 strongswan charon: 06[NET]
> sending packet: from 10.127.47.104[4500] to 10.104.108.110[4500] (80 bytes)
> Jan 12 08:34:15 strongswan charon: 15[NET] received packet: from
> 10.104.108.110[4500] to 10.127.47.104[4500] (80 bytes) Jan 12 08:34:15
> strongswan charon: 15[ENC] parsed INFORMATIONAL response 2 [ ] Jan 12
> 08:34:20 strongswan charon: 05[IKE] sending DPD request Jan 12 08:34:20
> strongswan charon: 05[ENC] generating INFORMATIONAL request 3 [ ] Jan 12
> 08:34:20 strongswan charon: 05[NET] sending packet: from
> 10.127.47.104[4500] to 10.104.108.110[4500] (80 bytes) Jan 12 08:34:20
> strongswan charon: 07[NET] received packet: from 10.104.108.110[4500] to
> 10.127.47.104[4500] (80 bytes) Jan 12 08:34:20 strongswan charon: 07[ENC]
> parsed INFORMATIONAL response 3 [ ]
> ===============================
>
>
> On Sun, Jan 14, 2018 at 10:42 PM, Kalyani Garigipati (kagarigi) <
> kagarigi at cisco.com> wrote:
>
>> Hi,
>>
>> Could someone reply on this please
>>
>> Regards,
>> Kalyani
>>
>> -----Original Message-----
>> From: Users [mailto:users-bounces at lists.strongswan.org] On Behalf Of
>> Kalyani Garigipati (kagarigi)
>> Sent: Friday, January 12, 2018 5:22 PM
>> To: Andreas Steffen <andreas.steffen at strongswan.org>; bls s <
>> blscl at outlook.com>; users at lists.strongswan.org
>> Subject: Re: [strongSwan] dpd not getting triggered
>>
>> Hi Andreas,
>>
>> Sorry the message came unformatted.
>>
>> Basically the message is going without nat payloads
>>
>> generating INFORMATIONAL request 3 []
>>
>> please let me know if I have to enable something. I already enabled
>> mobike.
>>
>> regards,
>> kalyani
>>
>>
>>
>>
>> -----Original Message-----
>> From: Users [mailto:users-bounces at lists.strongswan.org] On Behalf Of
>> Kalyani Garigipati (kagarigi)
>> Sent: Friday, January 12, 2018 4:14 PM
>> To: Andreas Steffen <andreas.steffen at strongswan.org>; bls s <
>> blscl at outlook.com>; users at lists.strongswan.org
>> Subject: Re: [strongSwan] dpd not getting triggered
>>
>> Hi Andreas,
>>
>> But I observed that even though I enabled mobike, dpd is not sending the
>> NAT detection payload.
>>
>> Below are the logs. I am using strongswan-5.6.1
>>
>> charon: 08[NET] sending packet: from 10.127.47.104[500] to
>> 10.104.108.110[500] (524 bytes) Jan 12 08:34:10 strongswan charon: 10[NET]
>> received packet: from 10.104.108.110[500] to 10.127.47.104[500] (471 bytes)
>> Jan 12 08:34:10 strongswan charon: 10[ENC] parsed IKE_SA_INIT response 0 [
>> SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) V ] Jan 12
>> 08:34:10 strongswan charon: 10[IKE] received Cisco Delete Reason vendor ID
>> Jan 12 08:34:10 strongswan charon: 10[IKE] received Cisco Copyright (c)
>> 2009 vendor ID Jan 12 08:34:10 strongswan charon: 10[IKE] received
>> FRAGMENTATION vendor ID Jan 12 08:34:10 strongswan charon: 10[IKE] received
>> 1 cert requests for an unknown ca Jan 12 08:34:10 strongswan charon:
>> 10[IKE] sending cert request for "C=US, O=Cisco, CN=
>> BrianMojaveRoot.cisco.com, CN=BrianMojaveRoot.cisco.com"
>> Jan 12 08:34:10 strongswan charon: 10[IKE] authentication of
>> '10.127.47.104' (myself) with pre-shared key Jan 12 08:34:10 strongswan
>> charon: 10[IKE] establishing CHILD_SA net-net{1} Jan 12 08:34:10 strongswan
>> charon: 10[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ
>> IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR)
>> N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR)
>> N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] Jan 12 08:34:10 strongswan charon: 10[NET]
>> sending packet: from 10.127.47.104[4500] to 10.104.108.110[4500] (528
>> bytes) Jan 12 08:34:10 strongswan charon: 11[NET] received packet: from
>> 10.104.108.110[4500] to 10.127.47.104[4500] (256 bytes) Jan 12 08:34:10
>> strongswan charon: 11[ENC] parsed IKE_AUTH response 1 [ V IDr AUTH SA TSi
>> TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) N(MOBIKE_SUP) ] Jan 12 08:34:10
>> strongswan charon: 11[IKE] authentication of '10.104.108.110' with
>> pre-shared key successful Jan 12 08:34:10 strongswan charon: 11[IKE] IKE_SA
>> net-net[1] established between 10.127.47.104[10.127.47.104]..
>> .10.104.108.110[10.104.108.110]
>> Jan 12 08:34:10 strongswan charon: 11[IKE] scheduling reauthentication in
>> 5093s Jan 12 08:34:10 strongswan charon: 11[IKE] maximum IKE_SA lifetime
>> 5573s Jan 12 08:34:10 strongswan charon: 11[IKE] received
>> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Jan 12 08:34:10
>> strongswan charon: 11[IKE] CHILD_SA net-net{1} established with SPIs
>> c6fbf7d4_i 775e9cde_o and TS 10.127.47.104/32 === 10.104.108.110/32 Jan
>> 12 08:34:10 strongswan charon: 11[IKE] peer supports MOBIKE Jan 12 08:34:15
>> strongswan charon: 06[IKE] sending DPD request Jan 12 08:34:15 strongswan
>> charon: 06[ENC] generating INFORMATIONAL request 2 [ ] Jan 12 08:34:15
>> strongswan charon: 06[NET] sending packet: from 10.127.47.104[4500] to
>> 10.104.108.110[4500] (80 bytes) Jan 12 08:34:15 strongswan charon: 15[NET]
>> received packet: from 10.104.108.110[4500] to 10.127.47.104[4500] (80
>> bytes) Jan 12 08:34:15 strongswan charon: 15[ENC] parsed INFORMATIONAL
>> response 2 [ ] Jan 12 08:34:20 strongswan charon: 05[IKE] sending DPD
>> request Jan 12 08:34:20 strongswan charon: 05[ENC] generating INFORMATIONAL
>> request 3 [ ] Jan 12 08:34:20 strongswan charon: 05[NET] sending packet:
>> from 10.127.47.104[4500] to 10.104.108.110[4500] (80 bytes) Jan 12 08:34:20
>> strongswan charon: 07[NET] received packet: from 10.104.108.110[4500] to
>> 10.127.47.104[4500] (80 bytes) Jan 12 08:34:20 strongswan charon: 07[ENC]
>> parsed INFORMATIONAL response 3 [ ]
>>
>> Regards,
>> Kalyani
>>
>> -----Original Message-----
>> From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
>> Sent: Friday, January 12, 2018 2:46 PM
>> To: Kalyani Garigipati (kagarigi) <kagarigi at cisco.com>; bls s <
>> blscl at outlook.com>; users at lists.strongswan.org
>> Subject: Re: [strongSwan] dpd not getting triggered
>>
>> Hi Kalyani,
>>
>> strongSwan uses NAT detection payloads in INFORMATIONAL messages with RFC
>> 4555 MOBIKE which is enabled by default. See
>>
>>   https://tools.ietf.org/html/rfc4555#section-3.8
>>
>> Regards
>>
>> Andreas
>>
>> On 12.01.2018 07:16, Kalyani Garigipati (kagarigi) wrote:
>> > Hi,
>> >
>> >
>> >
>> > Thanks a lot for the reply. It worked. I see the dpd triggering now.
>> >
>> >
>> >
>> > I am working on a case when dpd from strongswan sends the nat
>> > detection payloads.
>> >
>> > I wanted to know upon which conditions strongswan would send dpd
>> > request with nat_detection_src_ip and nat_detection_dst_ip.
>> >
>> >
>> >
>> > Is it done only in specific case like when strongswan is behind the
>> > nat ? and strongswan is in remote-access-client ?
>> >
>> >
>> >
>> > Regards,
>> >
>> > kalyani
>> >
>> >
>> >
>> > *From:*bls s [mailto:blscl at outlook.com]
>> > *Sent:* Friday, January 12, 2018 6:40 AM
>> > *To:* Kalyani Garigipati (kagarigi) <kagarigi at cisco.com>;
>> > users at lists.strongswan.org
>> > *Subject:* RE: [strongSwan] dpd not getting triggered
>> >
>> >
>> >
>> > By default dpdaction=none, which disables sending dpd messages.
>> >
>> >
>> >
>> > *From: *Kalyani Garigipati (kagarigi) <mailto:kagarigi at cisco.com>
>> > *Sent: *Thursday, January 11, 2018 10:47 AM
>> > *To: *users at lists.strongswan.org <mailto:users at lists.strongswan.org>
>> > *Subject: *[strongSwan] dpd not getting triggered
>> >
>> >
>> >
>> > Hi,
>> >
>> > I am using strongswan version 5.6.1
>> > I found that even though I configured dpd using dpddelay and
>> > dpdtimeout, dpd is not getting triggered from strongswan client at all
>> > even though there is no traffic passing.
>> > Please let me know how to debug this.
>> >
>> >
>> > config setup
>> >          charondebug=all
>> >         # crlcheckinterval=600
>> >         # strictcrlpolicy=yes
>> >         # cachecrls=yes
>> >         # nat_traversal=yes
>> >         # charonstart=no
>> >
>> > conn %default
>> >        ikelifetime=100m
>> >        keylife=20m
>> >        rekeymargin=8m
>> >        keyingtries=1
>> >        authby=psk
>> >        keyexchange=ikev2
>> >        ike=aes256-sha256-modp1024
>> >        esp=3des-sha1
>> >        mobike=yes
>> >        dpddelay=5s
>> >        dpdtimeout=150s
>> >
>> > # Add connections here.
>> >
>> > # Add connections here.
>> > conn net-net
>> >         left=10.127.47.104
>> >         leftsubnet=10.127.47.104/32
>> >         leftid=10.127.47.104
>> >         right=10.104.108.110
>> >         rightsubnet=10.104.108.110/32
>> >         rightid=10.104.108.110
>> >         auto=start
>> >
>> > ~
>> > Regards,
>> > kalyani
>> >
>>
>> --
>> ======================================================================
>> Andreas Steffen                         andreas.steffen at strongswan.org
>> strongSwan - the Open Source VPN Solution!          www.strongswan.org
>> Institute for Networked Solutions
>> HSR University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===========================================================[INS-HSR]==
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180115/7a270254/attachment-0001.html>


More information about the Users mailing list