[strongSwan] dpd not getting triggered

flyingrhino flyingrhino at orcon.net.nz
Sat Jan 20 02:01:06 CET 2018


Hi,

I like to combine custom retransmit settings too, because I find the default retransmission too "civilized"; I prefer to be more aggressive.
Look here for details:
https://wiki.strongswan.org/projects/strongswan/wiki/Retransmission


On Mon, 15 Jan 2018 23:35:18 +0530
Rajiv Kulkarni <rajivkulkarni69 at gmail.com> wrote:

> OOps!!!....my comments are completely in the wrong context...and do not
> really apply....please forgive me...sorry for this
> 
> 
> 
> On Mon, Jan 15, 2018 at 11:26 PM, Rajiv Kulkarni <rajivkulkarni69 at gmail.com>
> wrote:
> 
> > Hi
> >
> >
> > Are these below not dpd-keepalive informational messages?....i think
> > dpd-keepalive is being exchanged between the peers...
> >
> > =========================
> > 1[IKE] peer supports MOBIKE Jan 12 08:34:15 strongswan charon: 06[IKE]
> > sending DPD request Jan 12 08:34:15 strongswan charon: 06[ENC] generating
> > INFORMATIONAL request 2 [ ] Jan 12 08:34:15 strongswan charon: 06[NET]
> > sending packet: from 10.127.47.104[4500] to 10.104.108.110[4500] (80 bytes)
> > Jan 12 08:34:15 strongswan charon: 15[NET] received packet: from
> > 10.104.108.110[4500] to 10.127.47.104[4500] (80 bytes) Jan 12 08:34:15
> > strongswan charon: 15[ENC] parsed INFORMATIONAL response 2 [ ] Jan 12
> > 08:34:20 strongswan charon: 05[IKE] sending DPD request Jan 12 08:34:20
> > strongswan charon: 05[ENC] generating INFORMATIONAL request 3 [ ] Jan 12
> > 08:34:20 strongswan charon: 05[NET] sending packet: from
> > 10.127.47.104[4500] to 10.104.108.110[4500] (80 bytes) Jan 12 08:34:20
> > strongswan charon: 07[NET] received packet: from 10.104.108.110[4500] to
> > 10.127.47.104[4500] (80 bytes) Jan 12 08:34:20 strongswan charon: 07[ENC]
> > parsed INFORMATIONAL response 3 [ ]
> > ===============================
> >
> >
> > On Sun, Jan 14, 2018 at 10:42 PM, Kalyani Garigipati (kagarigi) <
> > kagarigi at cisco.com> wrote:
> >
> >> Hi,
> >>
> >> Could someone reply on this please
> >>
> >> Regards,
> >> Kalyani
> >>
> >> -----Original Message-----
> >> From: Users [mailto:users-bounces at lists.strongswan.org] On Behalf Of
> >> Kalyani Garigipati (kagarigi)
> >> Sent: Friday, January 12, 2018 5:22 PM
> >> To: Andreas Steffen <andreas.steffen at strongswan.org>; bls s <
> >> blscl at outlook.com>; users at lists.strongswan.org
> >> Subject: Re: [strongSwan] dpd not getting triggered
> >>
> >> Hi Andreas,
> >>
> >> Sorry the message came unformatted.
> >>
> >> Basically the message is going without nat payloads
> >>
> >> generating INFORMATIONAL request 3 []
> >>
> >> please let me know if I have to enable something. I already enabled
> >> mobike.
> >>
> >> regards,
> >> kalyani
> >>
> >>
> >>
> >>
> >> -----Original Message-----
> >> From: Users [mailto:users-bounces at lists.strongswan.org] On Behalf Of
> >> Kalyani Garigipati (kagarigi)
> >> Sent: Friday, January 12, 2018 4:14 PM
> >> To: Andreas Steffen <andreas.steffen at strongswan.org>; bls s <
> >> blscl at outlook.com>; users at lists.strongswan.org
> >> Subject: Re: [strongSwan] dpd not getting triggered
> >>
> >> Hi Andreas,
> >>
> >> But I observed that even though I enabled mobike, dpd is not sending the
> >> NAT detection payload.
> >>
> >> Below are the logs. I am using strongswan-5.6.1
> >>
> >> charon: 08[NET] sending packet: from 10.127.47.104[500] to
> >> 10.104.108.110[500] (524 bytes) Jan 12 08:34:10 strongswan charon: 10[NET]
> >> received packet: from 10.104.108.110[500] to 10.127.47.104[500] (471 bytes)
> >> Jan 12 08:34:10 strongswan charon: 10[ENC] parsed IKE_SA_INIT response 0 [
> >> SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) V ] Jan 12
> >> 08:34:10 strongswan charon: 10[IKE] received Cisco Delete Reason vendor ID
> >> Jan 12 08:34:10 strongswan charon: 10[IKE] received Cisco Copyright (c)
> >> 2009 vendor ID Jan 12 08:34:10 strongswan charon: 10[IKE] received
> >> FRAGMENTATION vendor ID Jan 12 08:34:10 strongswan charon: 10[IKE] received
> >> 1 cert requests for an unknown ca Jan 12 08:34:10 strongswan charon:
> >> 10[IKE] sending cert request for "C=US, O=Cisco, CN=
> >> BrianMojaveRoot.cisco.com, CN=BrianMojaveRoot.cisco.com"
> >> Jan 12 08:34:10 strongswan charon: 10[IKE] authentication of
> >> '10.127.47.104' (myself) with pre-shared key Jan 12 08:34:10 strongswan
> >> charon: 10[IKE] establishing CHILD_SA net-net{1} Jan 12 08:34:10 strongswan
> >> charon: 10[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ
> >> IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR)
> >> N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR)
> >> N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] Jan 12 08:34:10 strongswan charon: 10[NET]
> >> sending packet: from 10.127.47.104[4500] to 10.104.108.110[4500] (528
> >> bytes) Jan 12 08:34:10 strongswan charon: 11[NET] received packet: from
> >> 10.104.108.110[4500] to 10.127.47.104[4500] (256 bytes) Jan 12 08:34:10
> >> strongswan charon: 11[ENC] parsed IKE_AUTH response 1 [ V IDr AUTH SA TSi
> >> TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) N(MOBIKE_SUP) ] Jan 12 08:34:10
> >> strongswan charon: 11[IKE] authentication of '10.104.108.110' with
> >> pre-shared key successful Jan 12 08:34:10 strongswan charon: 11[IKE] IKE_SA
> >> net-net[1] established between 10.127.47.104[10.127.47.104]..
> >> .10.104.108.110[10.104.108.110]
> >> Jan 12 08:34:10 strongswan charon: 11[IKE] scheduling reauthentication in
> >> 5093s Jan 12 08:34:10 strongswan charon: 11[IKE] maximum IKE_SA lifetime
> >> 5573s Jan 12 08:34:10 strongswan charon: 11[IKE] received
> >> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Jan 12 08:34:10
> >> strongswan charon: 11[IKE] CHILD_SA net-net{1} established with SPIs
> >> c6fbf7d4_i 775e9cde_o and TS 10.127.47.104/32 === 10.104.108.110/32 Jan
> >> 12 08:34:10 strongswan charon: 11[IKE] peer supports MOBIKE Jan 12 08:34:15
> >> strongswan charon: 06[IKE] sending DPD request Jan 12 08:34:15 strongswan
> >> charon: 06[ENC] generating INFORMATIONAL request 2 [ ] Jan 12 08:34:15
> >> strongswan charon: 06[NET] sending packet: from 10.127.47.104[4500] to
> >> 10.104.108.110[4500] (80 bytes) Jan 12 08:34:15 strongswan charon: 15[NET]
> >> received packet: from 10.104.108.110[4500] to 10.127.47.104[4500] (80
> >> bytes) Jan 12 08:34:15 strongswan charon: 15[ENC] parsed INFORMATIONAL
> >> response 2 [ ] Jan 12 08:34:20 strongswan charon: 05[IKE] sending DPD
> >> request Jan 12 08:34:20 strongswan charon: 05[ENC] generating INFORMATIONAL
> >> request 3 [ ] Jan 12 08:34:20 strongswan charon: 05[NET] sending packet:
> >> from 10.127.47.104[4500] to 10.104.108.110[4500] (80 bytes) Jan 12 08:34:20
> >> strongswan charon: 07[NET] received packet: from 10.104.108.110[4500] to
> >> 10.127.47.104[4500] (80 bytes) Jan 12 08:34:20 strongswan charon: 07[ENC]
> >> parsed INFORMATIONAL response 3 [ ]
> >>
> >> Regards,
> >> Kalyani
> >>
> >> -----Original Message-----
> >> From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> >> Sent: Friday, January 12, 2018 2:46 PM
> >> To: Kalyani Garigipati (kagarigi) <kagarigi at cisco.com>; bls s <
> >> blscl at outlook.com>; users at lists.strongswan.org
> >> Subject: Re: [strongSwan] dpd not getting triggered
> >>
> >> Hi Kalyani,
> >>
> >> strongSwan uses NAT detection payloads in INFORMATIONAL messages with RFC
> >> 4555 MOBIKE which is enabled by default. See
> >>
> >>   https://tools.ietf.org/html/rfc4555#section-3.8
> >>
> >> Regards
> >>
> >> Andreas
> >>
> >> On 12.01.2018 07:16, Kalyani Garigipati (kagarigi) wrote:
> >> > Hi,
> >> >
> >> >
> >> >
> >> > Thanks a lot for the reply. It worked. I see the dpd triggering now.
> >> >
> >> >
> >> >
> >> > I am working on a case when dpd from strongswan sends the nat
> >> > detection payloads.
> >> >
> >> > I wanted to know upon which conditions strongswan would send dpd
> >> > request with nat_detection_src_ip and nat_detection_dst_ip.
> >> >
> >> >
> >> >
> >> > Is it done only in specific case like when strongswan is behind the
> >> > nat ? and strongswan is in remote-access-client ?
> >> >
> >> >
> >> >
> >> > Regards,
> >> >
> >> > kalyani
> >> >
> >> >
> >> >
> >> > *From:*bls s [mailto:blscl at outlook.com]
> >> > *Sent:* Friday, January 12, 2018 6:40 AM
> >> > *To:* Kalyani Garigipati (kagarigi) <kagarigi at cisco.com>;
> >> > users at lists.strongswan.org
> >> > *Subject:* RE: [strongSwan] dpd not getting triggered
> >> >
> >> >
> >> >
> >> > By default dpdaction=none, which disables sending dpd messages.
> >> >
> >> >
> >> >
> >> > *From: *Kalyani Garigipati (kagarigi) <mailto:kagarigi at cisco.com>
> >> > *Sent: *Thursday, January 11, 2018 10:47 AM
> >> > *To: *users at lists.strongswan.org <mailto:users at lists.strongswan.org>
> >> > *Subject: *[strongSwan] dpd not getting triggered
> >> >
> >> >
> >> >
> >> > Hi,
> >> >
> >> > I am using strongswan version 5.6.1
> >> > I found that even though I configured dpd using dpddelay and
> >> > dpdtimeout, dpd is not getting triggered from strongswan client at all
> >> > even though there is no traffic passing.
> >> > Please let me know how to debug this.
> >> >
> >> >
> >> > config setup
> >> >          charondebug=all
> >> >         # crlcheckinterval=600
> >> >         # strictcrlpolicy=yes
> >> >         # cachecrls=yes
> >> >         # nat_traversal=yes
> >> >         # charonstart=no
> >> >
> >> > conn %default
> >> >        ikelifetime=100m
> >> >        keylife=20m
> >> >        rekeymargin=8m
> >> >        keyingtries=1
> >> >        authby=psk
> >> >        keyexchange=ikev2
> >> >        ike=aes256-sha256-modp1024
> >> >        esp=3des-sha1
> >> >        mobike=yes
> >> >        dpddelay=5s
> >> >        dpdtimeout=150s
> >> >
> >> > # Add connections here.
> >> >
> >> > # Add connections here.
> >> > conn net-net
> >> >         left=10.127.47.104
> >> >         leftsubnet=10.127.47.104/32
> >> >         leftid=10.127.47.104
> >> >         right=10.104.108.110
> >> >         rightsubnet=10.104.108.110/32
> >> >         rightid=10.104.108.110
> >> >         auto=start
> >> >
> >> > ~
> >> > Regards,
> >> > kalyani
> >> >
> >>
> >> --
> >> ======================================================================
> >> Andreas Steffen                         andreas.steffen at strongswan.org
> >> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> >> Institute for Networked Solutions
> >> HSR University of Applied Sciences Rapperswil
> >> CH-8640 Rapperswil (Switzerland)
> >> ===========================================================[INS-HSR]==
> >>
> >>
> >



-- 
Rhinos can fly,

It's just a case of mind over matter ...
... And you need a lot of mind to control that much matter ...



More information about the Users mailing list