On 02/05/2019 19:19, Paul Wouters
wrote:
On Thu, 2 May 2019, Nick Howitt wrote:
I have an IKEv2 conn with one end
behind NAT:
Nat'd (remote):
conn nick-ikev2
type=tunnel
authby=secret
auto=start
left=10.20.40.248
leftsourceip=192.168.20.1
leftsubnet=192.168.20.0/24
leftid=@clearos_in_clearvm
right=my.fqdn
rightsubnet=172.17.2.0/24
rightid=@nick
ikev2=insist
dpdaction=restart
dpdtimeout=120
dpddelay=30
looks ok.
Other (local) end:
conn nick-ikev2
type=tunnel
authby=secret
auto=add
left=%any
#left=209.90.117.194
leftsubnet=192.168.20.0/24
leftid=@clearos_in_clearvm
right=%defaultroute
rightsubnet=172.17.2.0/24
rightsourceip=172.17.2.1
rightid=@nick
ikev2=insist
dpdaction=restart
dpdtimeout=120
dpddelay=30
rekey=no
auto=add with rekey=no should have dpdaction=clear and not
restart. As
it cannot start to the endpoint behind NAT.
Using
libreswan-3.25-4.1.el7_6.x86_64.
Can you run with plutodebug=all then egrep -i dpd over the log?
Paul
The output is not very helpful!
[root@ad-dc-server ~]# grep dpd -i /var/log/libreswan
May 2 20:30:47.371103: "nick-ikev2" #2: STATE_V2_IPSEC_I: IPsec SA
established tunnel mode {ESP/NAT=>0x6e8287b3 <0x5b64618f
xfrm=AES_GCM_16_256-NONE NATOA=none NATD=90.255.224.113:4500
DPD=active}
May 2 20:30:47.371141: | dpd enabled, scheduling ikev2 liveness
checks
and that is is. I let it run for about 7 minutes after I replaced
the conn at the other end. Do you want the full log?
Nick
|
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
