[strongSwan] DPD question

Makarand Pradhan MakarandPradhan at is5com.com
Tue Aug 4 22:33:42 CEST 2020 

Thanks Thomas.

Will use 5. That makes sense.

Kind rgds,
Makarand Pradhan
Senior Software Engineer.
iS5 Communications Inc.
5895 Ambler Dr,
Mississauga, Ontario
L4W 5B7
Main Line: +1-844-520-0588 Ext. 129
Direct Line: +1-289-724-2296
Cell: +1-226-501-5666
Fax:+1-289-401-5206
Email: makarandpradhan at is5com.com
Website: www.iS5Com.com

 
Confidentiality Notice: 
This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.

-----Original Message-----
From: Thomas Egerer <hakke_007 at gmx.de> 
Sent: August 4, 2020 1:54 PM
To: Makarand Pradhan <MakarandPradhan at is5com.com>; users at lists.strongswan.org
Subject: Re: [strongSwan] DPD question

On 8/4/20 7:27 PM, Makarand Pradhan wrote:
> Thanks for your response.
>
> I have verified that retransmit_tries = 1 Works for DPD.
It's not advisable to use retransmit_tries = 1 since this causes the SA to be torn down after the loss of two packets.

> root at t1024rdb:/usr/local/etc/strongswan.d# swanctl --log 14[IKE] 
> sending DPD request 14[ENC] generating INFORMATIONAL request 2 [ ] 
> 14[NET] sending packet: from 172.16.31.1[500] to 172.16.21.2[500] (76 
> bytes) 07[IKE] retransmit 1 of request with message ID 2 07[NET] 
> sending packet: from 172.16.31.1[500] to 172.16.21.2[500] (76 bytes) 
> 13[IKE] sending DPD request 13[ENC] generating INFORMATIONAL request 2 
> [ ] 13[NET] sending packet: from 172.16.31.100[500] to 
> 172.16.21.100[500] (76 bytes) 08[IKE] giving up after 1 retransmits 
> 11[IKE] retransmit 1 of request with message ID 2 11[NET] sending 
> packet: from 172.16.31.100[500] to 172.16.21.100[500] (76 bytes) 
> 06[IKE] giving up after 1 retransmits
>
> Kind rgds,
> Makarand Pradhan
> Senior Software Engineer.
> iS5 Communications Inc.
> 5895 Ambler Dr,
> Mississauga, Ontario
> L4W 5B7
> Main Line: +1-844-520-0588 Ext. 129
> Direct Line: +1-289-724-2296
> Cell: +1-226-501-5666
> Fax:+1-289-401-5206
> Email: makarandpradhan at is5com.com
> Website: www.iS5Com.com
>
>  
> Confidentiality Notice:
> This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.
>
> -----Original Message-----
> From: Thomas Egerer <hakke_007 at gmx.de>
> Sent: August 4, 2020 12:10 PM
> To: Makarand Pradhan <MakarandPradhan at is5com.com>; 
> users at lists.strongswan.org
> Subject: Re: [strongSwan] DPD question
>
> Hi Makarand,
>
> the retransmit_tries option is exactly what you're looking for. It 
> defaults to five (see [1]). Essentialy charon's task manager tries to 
> retransmit each packet at most five times (if not configured
> otherwise) regardless of the message type. There's no extra option for R-U-There messages or DPD requests.
>
> Thomas
>
> [1] 
> https://wiki.strongswan.org/projects/strongswan/wiki/Strongswanconf
>
> On 8/4/20 5:33 PM, Makarand Pradhan wrote:
>> Good morning All,
>>
>> Is there a way to configure the number of DPD retries before giving up? We would like to configure 5 R-U-There failures before taking the connection down. The retransmit_tries in charon.conf, controls the IKE retransmits. Don't think it's affecting DPD behaviour.
>>
>> Thanks for looking at my qery.
>>
>> Kind rgds,
>> Makarand Pradhan
>> Senior Software Engineer.
>> iS5 Communications Inc.
>> 5895 Ambler Dr,
>> Mississauga, Ontario
>> L4W 5B7
>> Main Line: +1-844-520-0588 Ext. 129
>> Direct Line: +1-289-724-2296
>> Cell: +1-226-501-5666
>> Fax:+1-289-401-5206
>> Email: makarandpradhan at is5com.com
>> Website: www.iS5Com.com
>>
>>  
>> Confidentiality Notice:
>> This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.
>>
>

More information about the Users mailing list