Hi
Are these below not dpd-keepalive informational messages?....i think dpd-keepalive is being exchanged between the peers... ========================= 1[IKE] peer supports MOBIKE Jan 12 08:34:15 strongswan charon: 06[IKE] sending DPD request Jan 12 08:34:15 strongswan charon: 06[ENC] generating INFORMATIONAL request 2 [ ] Jan 12 08:34:15 strongswan charon: 06[NET] sending packet: from 10.127.47.104[4500] to 10.104.108.110[4500] (80 bytes) Jan 12 08:34:15 strongswan charon: 15[NET] received packet: from 10.104.108.110[4500] to 10.127.47.104[4500] (80 bytes) Jan 12 08:34:15 strongswan charon: 15[ENC] parsed INFORMATIONAL response 2 [ ] Jan 12 08:34:20 strongswan charon: 05[IKE] sending DPD request Jan 12 08:34:20 strongswan charon: 05[ENC] generating INFORMATIONAL request 3 [ ] Jan 12 08:34:20 strongswan charon: 05[NET] sending packet: from 10.127.47.104[4500] to 10.104.108.110[4500] (80 bytes) Jan 12 08:34:20 strongswan charon: 07[NET] received packet: from 10.104.108.110[4500] to 10.127.47.104[4500] (80 bytes) Jan 12 08:34:20 strongswan charon: 07[ENC] parsed INFORMATIONAL response 3 [ ] =============================== On Sun, Jan 14, 2018 at 10:42 PM, Kalyani Garigipati (kagarigi) < [email protected]> wrote: > Hi, > > Could someone reply on this please > > Regards, > Kalyani > > -----Original Message----- > From: Users [mailto:[email protected]] On Behalf Of > Kalyani Garigipati (kagarigi) > Sent: Friday, January 12, 2018 5:22 PM > To: Andreas Steffen <[email protected]>; bls s < > [email protected]>; [email protected] > Subject: Re: [strongSwan] dpd not getting triggered > > Hi Andreas, > > Sorry the message came unformatted. > > Basically the message is going without nat payloads > > generating INFORMATIONAL request 3 [] > > please let me know if I have to enable something. I already enabled mobike. > > regards, > kalyani > > > > > -----Original Message----- > From: Users [mailto:[email protected]] On Behalf Of > Kalyani Garigipati (kagarigi) > Sent: Friday, January 12, 2018 4:14 PM > To: Andreas Steffen <[email protected]>; bls s < > [email protected]>; [email protected] > Subject: Re: [strongSwan] dpd not getting triggered > > Hi Andreas, > > But I observed that even though I enabled mobike, dpd is not sending the > NAT detection payload. > > Below are the logs. I am using strongswan-5.6.1 > > charon: 08[NET] sending packet: from 10.127.47.104[500] to > 10.104.108.110[500] (524 bytes) Jan 12 08:34:10 strongswan charon: 10[NET] > received packet: from 10.104.108.110[500] to 10.127.47.104[500] (471 bytes) > Jan 12 08:34:10 strongswan charon: 10[ENC] parsed IKE_SA_INIT response 0 [ > SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) V ] Jan 12 > 08:34:10 strongswan charon: 10[IKE] received Cisco Delete Reason vendor ID > Jan 12 08:34:10 strongswan charon: 10[IKE] received Cisco Copyright (c) > 2009 vendor ID Jan 12 08:34:10 strongswan charon: 10[IKE] received > FRAGMENTATION vendor ID Jan 12 08:34:10 strongswan charon: 10[IKE] received > 1 cert requests for an unknown ca Jan 12 08:34:10 strongswan charon: > 10[IKE] sending cert request for "C=US, O=Cisco, CN= > BrianMojaveRoot.cisco.com, CN=BrianMojaveRoot.cisco.com" > Jan 12 08:34:10 strongswan charon: 10[IKE] authentication of > '10.127.47.104' (myself) with pre-shared key Jan 12 08:34:10 strongswan > charon: 10[IKE] establishing CHILD_SA net-net{1} Jan 12 08:34:10 strongswan > charon: 10[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ > IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) > N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) > N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] Jan 12 08:34:10 strongswan charon: 10[NET] > sending packet: from 10.127.47.104[4500] to 10.104.108.110[4500] (528 > bytes) Jan 12 08:34:10 strongswan charon: 11[NET] received packet: from > 10.104.108.110[4500] to 10.127.47.104[4500] (256 bytes) Jan 12 08:34:10 > strongswan charon: 11[ENC] parsed IKE_AUTH response 1 [ V IDr AUTH SA TSi > TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) N(MOBIKE_SUP) ] Jan 12 08:34:10 > strongswan charon: 11[IKE] authentication of '10.104.108.110' with > pre-shared key successful Jan 12 08:34:10 strongswan charon: 11[IKE] IKE_SA > net-net[1] established between 10.127.47.104[10.127.47.104].. > .10.104.108.110[10.104.108.110] > Jan 12 08:34:10 strongswan charon: 11[IKE] scheduling reauthentication in > 5093s Jan 12 08:34:10 strongswan charon: 11[IKE] maximum IKE_SA lifetime > 5573s Jan 12 08:34:10 strongswan charon: 11[IKE] received > ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Jan 12 08:34:10 > strongswan charon: 11[IKE] CHILD_SA net-net{1} established with SPIs > c6fbf7d4_i 775e9cde_o and TS 10.127.47.104/32 === 10.104.108.110/32 Jan > 12 08:34:10 strongswan charon: 11[IKE] peer supports MOBIKE Jan 12 08:34:15 > strongswan charon: 06[IKE] sending DPD request Jan 12 08:34:15 strongswan > charon: 06[ENC] generating INFORMATIONAL request 2 [ ] Jan 12 08:34:15 > strongswan charon: 06[NET] sending packet: from 10.127.47.104[4500] to > 10.104.108.110[4500] (80 bytes) Jan 12 08:34:15 strongswan charon: 15[NET] > received packet: from 10.104.108.110[4500] to 10.127.47.104[4500] (80 > bytes) Jan 12 08:34:15 strongswan charon: 15[ENC] parsed INFORMATIONAL > response 2 [ ] Jan 12 08:34:20 strongswan charon: 05[IKE] sending DPD > request Jan 12 08:34:20 strongswan charon: 05[ENC] generating INFORMATIONAL > request 3 [ ] Jan 12 08:34:20 strongswan charon: 05[NET] sending packet: > from 10.127.47.104[4500] to 10.104.108.110[4500] (80 bytes) Jan 12 08:34:20 > strongswan charon: 07[NET] received packet: from 10.104.108.110[4500] to > 10.127.47.104[4500] (80 bytes) Jan 12 08:34:20 strongswan charon: 07[ENC] > parsed INFORMATIONAL response 3 [ ] > > Regards, > Kalyani > > -----Original Message----- > From: Andreas Steffen [mailto:[email protected]] > Sent: Friday, January 12, 2018 2:46 PM > To: Kalyani Garigipati (kagarigi) <[email protected]>; bls s < > [email protected]>; [email protected] > Subject: Re: [strongSwan] dpd not getting triggered > > Hi Kalyani, > > strongSwan uses NAT detection payloads in INFORMATIONAL messages with RFC > 4555 MOBIKE which is enabled by default. See > > https://tools.ietf.org/html/rfc4555#section-3.8 > > Regards > > Andreas > > On 12.01.2018 07:16, Kalyani Garigipati (kagarigi) wrote: > > Hi, > > > > > > > > Thanks a lot for the reply. It worked. I see the dpd triggering now. > > > > > > > > I am working on a case when dpd from strongswan sends the nat > > detection payloads. > > > > I wanted to know upon which conditions strongswan would send dpd > > request with nat_detection_src_ip and nat_detection_dst_ip. > > > > > > > > Is it done only in specific case like when strongswan is behind the > > nat ? and strongswan is in remote-access-client ? > > > > > > > > Regards, > > > > kalyani > > > > > > > > *From:*bls s [mailto:[email protected]] > > *Sent:* Friday, January 12, 2018 6:40 AM > > *To:* Kalyani Garigipati (kagarigi) <[email protected]>; > > [email protected] > > *Subject:* RE: [strongSwan] dpd not getting triggered > > > > > > > > By default dpdaction=none, which disables sending dpd messages. > > > > > > > > *From: *Kalyani Garigipati (kagarigi) <mailto:[email protected]> > > *Sent: *Thursday, January 11, 2018 10:47 AM > > *To: *[email protected] <mailto:[email protected]> > > *Subject: *[strongSwan] dpd not getting triggered > > > > > > > > Hi, > > > > I am using strongswan version 5.6.1 > > I found that even though I configured dpd using dpddelay and > > dpdtimeout, dpd is not getting triggered from strongswan client at all > > even though there is no traffic passing. > > Please let me know how to debug this. > > > > > > config setup > > charondebug=all > > # crlcheckinterval=600 > > # strictcrlpolicy=yes > > # cachecrls=yes > > # nat_traversal=yes > > # charonstart=no > > > > conn %default > > ikelifetime=100m > > keylife=20m > > rekeymargin=8m > > keyingtries=1 > > authby=psk > > keyexchange=ikev2 > > ike=aes256-sha256-modp1024 > > esp=3des-sha1 > > mobike=yes > > dpddelay=5s > > dpdtimeout=150s > > > > # Add connections here. > > > > # Add connections here. > > conn net-net > > left=10.127.47.104 > > leftsubnet=10.127.47.104/32 > > leftid=10.127.47.104 > > right=10.104.108.110 > > rightsubnet=10.104.108.110/32 > > rightid=10.104.108.110 > > auto=start > > > > ~ > > Regards, > > kalyani > > > > -- > ====================================================================== > Andreas Steffen [email protected] > strongSwan - the Open Source VPN Solution! www.strongswan.org > Institute for Networked Solutions > HSR University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[INS-HSR]== > >
