Re: [strongSwan] Not working DPD on strongSwan 4.5.2

Wed, 19 Dec 2012 21:05:00 -0800 

Hi Dragomir,

with your configuration DPD should work but your ipsec status
shows with

 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 39s

that the IPsec connection has not been fully established and therefore
no DPD payloads are sent.

Regards

Andreas

On 20.12.2012 00:01, Dragomir Ivanov wrote:

Hello,
I have the following configuration for L2TP connection used by Android
phone:

config setup
         plutostart=yes
         plutodebug="control controlmore"
         charonstart=yes
         nocrsend=yes
         nat_traversal=yes

virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
<http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12>

conn %default
         ikelifetime=60m
         keylife=20m
         rekeymargin=3m
         keyingtries=%forever
         authby=secret
         mobike=no


conn L2TP
         authby=secret
         auto=add
         rekey=no
         pfs=no
         type=transport
         forceencaps=yes
         compress=yes
         left=212.25.51.133
         leftnexthop=212.25.51.1
         leftprotoport=17/1701
         right=%any
         rightprotoport=17/%any
         rightsubnet=vhost:%no,%priv
         keyexchange=ikev1
         dpdaction=clear
         dpdtimeout=60
         dpddelay=10

Phone connects OK. But when phone is disconnected, SA stays
indefinitely. With my configuration it should remove SA association in
60seconds or so, but it stays like this:

000 "L2TP":
212.25.51.133[212.25.51.133]:17/1701---212.25.51.1...%virtual[%any]:17/%any===?;
unrouted; eroute owner: #0
000 "L2TP":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s;
rekey_fuzz: 100%; keyingtries: 0
000 "L2TP":   dpd_action: clear; dpd_delay: 10s; dpd_timeout: 60s;
000 "L2TP":   policy: PSK+ENCRYPT+COMPRESS+DONTREKEY; prio: 32,32;
interface: eth1;
000 "L2TP":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "L2TP"[2]:
212.25.51.133:4500[212.25.51.133]:17/1701---212.25.51.1...213.226.63.142:33677[10.181.105.171]:17/0;
unrouted; eroute owner: #0
000 "L2TP"[2]:   ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s;
rekey_fuzz: 100%; keyingtries: 0
000 "L2TP"[2]:   dpd_action: clear; dpd_delay: 10s; dpd_timeout: 60s;
000 "L2TP"[2]:   policy: PSK+ENCRYPT+COMPRESS+DONTREKEY; prio: 32,32;
interface: eth1;
000 "L2TP"[2]:   newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "L2TP"[2]:   IKE proposal: 3DES_CBC/HMAC_SHA1/MODP_1024
000
000 #341: "L2TP"[2] 213.226.63.142:33677 <http://213.226.63.142:33677>
STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 39s
000 #1: "L2TP"[2] 213.226.63.142:33677 <http://213.226.63.142:33677>
STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in
3972s; newest ISAKMP

When I look on tcpdump on udp ports 500/4500, I see no packets(DPD) from
IPSec gateway, to remote device (Android).
Is this a bug, or I have misconfigured something? Thank you.


======================================================================
Andreas Steffen                         [email protected]
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to