[strongSwan] DPD question

Thomas Egerer hakke_007 at gmx.de
Tue Aug 4 19:53:54 CEST 2020


On 8/4/20 7:27 PM, Makarand Pradhan wrote:
> Thanks for your response.
>
> I have verified that retransmit_tries = 1 Works for DPD.
It's not advisable to use retransmit_tries = 1 since this
causes the SA to be torn down after the loss of two packets.

> root at t1024rdb:/usr/local/etc/strongswan.d# swanctl --log
> 14[IKE] sending DPD request
> 14[ENC] generating INFORMATIONAL request 2 [ ]
> 14[NET] sending packet: from 172.16.31.1[500] to 172.16.21.2[500] (76 bytes)
> 07[IKE] retransmit 1 of request with message ID 2
> 07[NET] sending packet: from 172.16.31.1[500] to 172.16.21.2[500] (76 bytes)
> 13[IKE] sending DPD request
> 13[ENC] generating INFORMATIONAL request 2 [ ]
> 13[NET] sending packet: from 172.16.31.100[500] to 172.16.21.100[500] (76 bytes)
> 08[IKE] giving up after 1 retransmits
> 11[IKE] retransmit 1 of request with message ID 2
> 11[NET] sending packet: from 172.16.31.100[500] to 172.16.21.100[500] (76 bytes)
> 06[IKE] giving up after 1 retransmits
>
> Kind rgds,
> Makarand Pradhan
> Senior Software Engineer.
> iS5 Communications Inc.
> 5895 Ambler Dr,
> Mississauga, Ontario
> L4W 5B7
> Main Line: +1-844-520-0588 Ext. 129
> Direct Line: +1-289-724-2296
> Cell: +1-226-501-5666
> Fax:+1-289-401-5206
> Email: makarandpradhan at is5com.com
> Website: www.iS5Com.com
>
>  
> Confidentiality Notice: 
> This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.
>
> -----Original Message-----
> From: Thomas Egerer <hakke_007 at gmx.de>
> Sent: August 4, 2020 12:10 PM
> To: Makarand Pradhan <MakarandPradhan at is5com.com>; users at lists.strongswan.org
> Subject: Re: [strongSwan] DPD question
>
> Hi Makarand,
>
> the retransmit_tries option is exactly what you're looking for. It defaults to five (see [1]). Essentialy charon's task manager tries to retransmit each packet at most five times (if not configured
> otherwise) regardless of the message type. There's no extra option for R-U-There messages or DPD requests.
>
> Thomas
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/Strongswanconf
>
> On 8/4/20 5:33 PM, Makarand Pradhan wrote:
>> Good morning All,
>>
>> Is there a way to configure the number of DPD retries before giving up? We would like to configure 5 R-U-There failures before taking the connection down. The retransmit_tries in charon.conf, controls the IKE retransmits. Don't think it's affecting DPD behaviour.
>>
>> Thanks for looking at my qery.
>>
>> Kind rgds,
>> Makarand Pradhan
>> Senior Software Engineer.
>> iS5 Communications Inc.
>> 5895 Ambler Dr,
>> Mississauga, Ontario
>> L4W 5B7
>> Main Line: +1-844-520-0588 Ext. 129
>> Direct Line: +1-289-724-2296
>> Cell: +1-226-501-5666
>> Fax:+1-289-401-5206
>> Email: makarandpradhan at is5com.com
>> Website: www.iS5Com.com
>>
>>  
>> Confidentiality Notice:
>> This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.
>>
>



More information about the Users mailing list