Hello Tobias See below -----Original Message----- From: Tobias Brunner [mailto:[email protected]] Sent: Friday, April 21, 2017 11:34 AM To: Modster, Anthony <[email protected]>; Marc Obbad <[email protected]>; [email protected] Subject: Re: [strongSwan] DPD issues when using multiple interfaces to same Gateway
Hi Anthony, >> 1- Are DPD rules apply to individual tunnels? If one tunnel cannot >> communicate with the Gateway but other are, what happen if DPD timer >> expires in only one of them? > > Yes, they apply to each IKE_SA individually. > A.M. DpdAction=clear, and multiple interfaces, after one DPD timer expires, > it may not clear. > If DpdAction=clear, and single interface, after DPD timer expires, it does > clear. So what happens instead? Please post some logs that show this difference in behavior (and the config that goes with it). >> 2- When we set DPD action as restart, do we need to terminate the >> current IKE after DPD timer expires or it is done automatically? > > The SA will be automatically restarted. > A.M. after the restart and the interface comes back up, the tunnel indicates > ESTABLISHED, but is not useable. What makes it unusable? Are routes missing? Firewall rules? Policies or SAs in the kernel? A.M.1 We moved are interfaces to different subnets and are able to use DpdAction=restart, and the tunnel recovers on reconnection (but only if the reconnection occurs after the dpd timeout). If the reconnection occurs during the initial dpd timeout period (using the same connection as the disconnect), the tunnel comes up, but is not usable. The log indicates that the DPD requests are sent and received note: ping indicates root@wglng-6:~# ping -I 20.20.220.26 40.40.40.15 PING 40.40.40.15 (40.40.40.15) from 20.20.220.26: 56 data bytes ping: can't set multicast source interface Below is ping test, before the disconnect root@wglng-6:~# ping -I 20.20.220.26 40.40.40.15 PING 40.40.40.15 (40.40.40.15) from 20.20.220.46: 56 data bytes 64 bytes from 40.40.40.15: seq=0 ttl=128 time=24.577 ms 64 bytes from 40.40.40.15: seq=1 ttl=128 time=23.270 ms 64 bytes from 40.40.40.15: seq=2 ttl=128 time=22.911 ms 64 bytes from 40.40.40.15: seq=3 ttl=128 time=50.389 ms 64 bytes from 40.40.40.15: seq=4 ttl=128 time=35.077 ms 64 bytes from 40.40.40.15: seq=5 ttl=128 time=33.284 ms --- 40.40.40.15 ping statistics --- 6 packets transmitted, 6 packets received, 0% packet loss round-trip min/avg/max = 22.911/31.584/50.389 ms Regards, Tobias
security_edit.log
Description: security_edit.log
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
