We test DPD by temporarily blocking the network connection between the peers by inserting an iptables DROP rule in the firewall and then wait until DPD has dropped the connection for sure and then enabling it again:
moon# ipsec statusall | grep 'rw.*INSTALLED' [YES]
rw{1}: INSTALLED, TUNNEL, ESP SPIs: c027534b_i c1470ab0_o
moon# iptables -A INPUT -i eth0 -s 192.168.0.100 -j DROP
carol# iptables -A INPUT -i eth0 -s 192.168.0.1 -j DROP
carol# sleep 180
carol# cat /var/log/daemon.log | grep 'sending DPD request' [YES]
May 2 23:15:38 carol charon: 02[IKE] sending DPD request
carol# cat /var/log/daemon.log | grep 'retransmit.*of request' [YES]
May 2 23:15:42 carol charon: 09[IKE] retransmit 1 of request with
message ID 2
May 2 23:15:49 carol charon: 14[IKE] retransmit 2 of request with
message ID 2
May 2 23:16:02 carol charon: 15[IKE] retransmit 3 of request with
message ID 2
May 2 23:16:25 carol charon: 01[IKE] retransmit 4 of request with
message ID 2
May 2 23:17:07 carol charon: 14[IKE] retransmit 5 of request with
message ID 2
May 2 23:18:27 carol charon: 14[IKE] retransmit 1 of request with
message ID 0
carol# cat /var/log/daemon.log | grep 'giving up after 5 retransmits' [YES]
May 2 23:18:23 carol charon: 13[IKE] giving up after 5 retransmits
carol# iptables -D INPUT -i eth0 -s 192.168.0.1 -j DROP
moon# iptables -D INPUT -i eth0 -s 192.168.0.100 -j DROP
carol# sleep 10
carol# ipsec statusall | grep 'home.*INSTALLED' [YES]
home{2}: INSTALLED, TUNNEL, ESP SPIs: c78419d4_i c7edebd7_o
moon# ipsec statusall | grep 'rw.*INSTALLED' [YES]
rw{2}: INSTALLED, TUNNEL, ESP SPIs: c7edebd7_i c78419d4_o
Regards
Andreas
On 22.06.2010 18:01, Dhanavel P wrote:
Hi All,
I am trying to establish Host to Host DPD connection.
I added the following in the ipsec.conf file (in both Moon and Sun)
dpdaction=restart
dpddelay=5
dpdtimeout=10
After that I start IPsec and establish connection by ipsec up
<connection name> .
The output is like DPD connection established and there is no error...
Kindly help me out,how to test and verify this setup ..
what are the steps that i have to followed for testing...........
Thanks in Advance
Regards,
Dhanavel
-- ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
