Hi, I like to combine custom retransmit settings too, because I find the default retransmission too "civilized"; I prefer to be more aggressive. Look here for details: https://wiki.strongswan.org/projects/strongswan/wiki/Retransmission
On Mon, 15 Jan 2018 23:35:18 +0530 Rajiv Kulkarni <rajivkulkarn...@gmail.com> wrote: > OOps!!!....my comments are completely in the wrong context...and do not > really apply....please forgive me...sorry for this > > > > On Mon, Jan 15, 2018 at 11:26 PM, Rajiv Kulkarni <rajivkulkarn...@gmail.com> > wrote: > > > Hi > > > > > > Are these below not dpd-keepalive informational messages?....i think > > dpd-keepalive is being exchanged between the peers... > > > > ========================= > > 1[IKE] peer supports MOBIKE Jan 12 08:34:15 strongswan charon: 06[IKE] > > sending DPD request Jan 12 08:34:15 strongswan charon: 06[ENC] generating > > INFORMATIONAL request 2 [ ] Jan 12 08:34:15 strongswan charon: 06[NET] > > sending packet: from 10.127.47.104[4500] to 10.104.108.110[4500] (80 bytes) > > Jan 12 08:34:15 strongswan charon: 15[NET] received packet: from > > 10.104.108.110[4500] to 10.127.47.104[4500] (80 bytes) Jan 12 08:34:15 > > strongswan charon: 15[ENC] parsed INFORMATIONAL response 2 [ ] Jan 12 > > 08:34:20 strongswan charon: 05[IKE] sending DPD request Jan 12 08:34:20 > > strongswan charon: 05[ENC] generating INFORMATIONAL request 3 [ ] Jan 12 > > 08:34:20 strongswan charon: 05[NET] sending packet: from > > 10.127.47.104[4500] to 10.104.108.110[4500] (80 bytes) Jan 12 08:34:20 > > strongswan charon: 07[NET] received packet: from 10.104.108.110[4500] to > > 10.127.47.104[4500] (80 bytes) Jan 12 08:34:20 strongswan charon: 07[ENC] > > parsed INFORMATIONAL response 3 [ ] > > =============================== > > > > > > On Sun, Jan 14, 2018 at 10:42 PM, Kalyani Garigipati (kagarigi) < > > kagar...@cisco.com> wrote: > > > >> Hi, > >> > >> Could someone reply on this please > >> > >> Regards, > >> Kalyani > >> > >> -----Original Message----- > >> From: Users [mailto:users-boun...@lists.strongswan.org] On Behalf Of > >> Kalyani Garigipati (kagarigi) > >> Sent: Friday, January 12, 2018 5:22 PM > >> To: Andreas Steffen <andreas.stef...@strongswan.org>; bls s < > >> bl...@outlook.com>; users@lists.strongswan.org > >> Subject: Re: [strongSwan] dpd not getting triggered > >> > >> Hi Andreas, > >> > >> Sorry the message came unformatted. > >> > >> Basically the message is going without nat payloads > >> > >> generating INFORMATIONAL request 3 [] > >> > >> please let me know if I have to enable something. I already enabled > >> mobike. > >> > >> regards, > >> kalyani > >> > >> > >> > >> > >> -----Original Message----- > >> From: Users [mailto:users-boun...@lists.strongswan.org] On Behalf Of > >> Kalyani Garigipati (kagarigi) > >> Sent: Friday, January 12, 2018 4:14 PM > >> To: Andreas Steffen <andreas.stef...@strongswan.org>; bls s < > >> bl...@outlook.com>; users@lists.strongswan.org > >> Subject: Re: [strongSwan] dpd not getting triggered > >> > >> Hi Andreas, > >> > >> But I observed that even though I enabled mobike, dpd is not sending the > >> NAT detection payload. > >> > >> Below are the logs. I am using strongswan-5.6.1 > >> > >> charon: 08[NET] sending packet: from 10.127.47.104[500] to > >> 10.104.108.110[500] (524 bytes) Jan 12 08:34:10 strongswan charon: 10[NET] > >> received packet: from 10.104.108.110[500] to 10.127.47.104[500] (471 bytes) > >> Jan 12 08:34:10 strongswan charon: 10[ENC] parsed IKE_SA_INIT response 0 [ > >> SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) V ] Jan 12 > >> 08:34:10 strongswan charon: 10[IKE] received Cisco Delete Reason vendor ID > >> Jan 12 08:34:10 strongswan charon: 10[IKE] received Cisco Copyright (c) > >> 2009 vendor ID Jan 12 08:34:10 strongswan charon: 10[IKE] received > >> FRAGMENTATION vendor ID Jan 12 08:34:10 strongswan charon: 10[IKE] received > >> 1 cert requests for an unknown ca Jan 12 08:34:10 strongswan charon: > >> 10[IKE] sending cert request for "C=US, O=Cisco, CN= > >> BrianMojaveRoot.cisco.com, CN=BrianMojaveRoot.cisco.com" > >> Jan 12 08:34:10 strongswan charon: 10[IKE] authentication of > >> '10.127.47.104' (myself) with pre-shared key Jan 12 08:34:10 strongswan > >> charon: 10[IKE] establishing CHILD_SA net-net{1} Jan 12 08:34:10 strongswan > >> charon: 10[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ > >> IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) > >> N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) > >> N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] Jan 12 08:34:10 strongswan charon: 10[NET] > >> sending packet: from 10.127.47.104[4500] to 10.104.108.110[4500] (528 > >> bytes) Jan 12 08:34:10 strongswan charon: 11[NET] received packet: from > >> 10.104.108.110[4500] to 10.127.47.104[4500] (256 bytes) Jan 12 08:34:10 > >> strongswan charon: 11[ENC] parsed IKE_AUTH response 1 [ V IDr AUTH SA TSi > >> TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) N(MOBIKE_SUP) ] Jan 12 08:34:10 > >> strongswan charon: 11[IKE] authentication of '10.104.108.110' with > >> pre-shared key successful Jan 12 08:34:10 strongswan charon: 11[IKE] IKE_SA > >> net-net[1] established between 10.127.47.104[10.127.47.104].. > >> .10.104.108.110[10.104.108.110] > >> Jan 12 08:34:10 strongswan charon: 11[IKE] scheduling reauthentication in > >> 5093s Jan 12 08:34:10 strongswan charon: 11[IKE] maximum IKE_SA lifetime > >> 5573s Jan 12 08:34:10 strongswan charon: 11[IKE] received > >> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Jan 12 08:34:10 > >> strongswan charon: 11[IKE] CHILD_SA net-net{1} established with SPIs > >> c6fbf7d4_i 775e9cde_o and TS 10.127.47.104/32 === 10.104.108.110/32 Jan > >> 12 08:34:10 strongswan charon: 11[IKE] peer supports MOBIKE Jan 12 08:34:15 > >> strongswan charon: 06[IKE] sending DPD request Jan 12 08:34:15 strongswan > >> charon: 06[ENC] generating INFORMATIONAL request 2 [ ] Jan 12 08:34:15 > >> strongswan charon: 06[NET] sending packet: from 10.127.47.104[4500] to > >> 10.104.108.110[4500] (80 bytes) Jan 12 08:34:15 strongswan charon: 15[NET] > >> received packet: from 10.104.108.110[4500] to 10.127.47.104[4500] (80 > >> bytes) Jan 12 08:34:15 strongswan charon: 15[ENC] parsed INFORMATIONAL > >> response 2 [ ] Jan 12 08:34:20 strongswan charon: 05[IKE] sending DPD > >> request Jan 12 08:34:20 strongswan charon: 05[ENC] generating INFORMATIONAL > >> request 3 [ ] Jan 12 08:34:20 strongswan charon: 05[NET] sending packet: > >> from 10.127.47.104[4500] to 10.104.108.110[4500] (80 bytes) Jan 12 08:34:20 > >> strongswan charon: 07[NET] received packet: from 10.104.108.110[4500] to > >> 10.127.47.104[4500] (80 bytes) Jan 12 08:34:20 strongswan charon: 07[ENC] > >> parsed INFORMATIONAL response 3 [ ] > >> > >> Regards, > >> Kalyani > >> > >> -----Original Message----- > >> From: Andreas Steffen [mailto:andreas.stef...@strongswan.org] > >> Sent: Friday, January 12, 2018 2:46 PM > >> To: Kalyani Garigipati (kagarigi) <kagar...@cisco.com>; bls s < > >> bl...@outlook.com>; users@lists.strongswan.org > >> Subject: Re: [strongSwan] dpd not getting triggered > >> > >> Hi Kalyani, > >> > >> strongSwan uses NAT detection payloads in INFORMATIONAL messages with RFC > >> 4555 MOBIKE which is enabled by default. See > >> > >> https://tools.ietf.org/html/rfc4555#section-3.8 > >> > >> Regards > >> > >> Andreas > >> > >> On 12.01.2018 07:16, Kalyani Garigipati (kagarigi) wrote: > >> > Hi, > >> > > >> > > >> > > >> > Thanks a lot for the reply. It worked. I see the dpd triggering now. > >> > > >> > > >> > > >> > I am working on a case when dpd from strongswan sends the nat > >> > detection payloads. > >> > > >> > I wanted to know upon which conditions strongswan would send dpd > >> > request with nat_detection_src_ip and nat_detection_dst_ip. > >> > > >> > > >> > > >> > Is it done only in specific case like when strongswan is behind the > >> > nat ? and strongswan is in remote-access-client ? > >> > > >> > > >> > > >> > Regards, > >> > > >> > kalyani > >> > > >> > > >> > > >> > *From:*bls s [mailto:bl...@outlook.com] > >> > *Sent:* Friday, January 12, 2018 6:40 AM > >> > *To:* Kalyani Garigipati (kagarigi) <kagar...@cisco.com>; > >> > users@lists.strongswan.org > >> > *Subject:* RE: [strongSwan] dpd not getting triggered > >> > > >> > > >> > > >> > By default dpdaction=none, which disables sending dpd messages. > >> > > >> > > >> > > >> > *From: *Kalyani Garigipati (kagarigi) <mailto:kagar...@cisco.com> > >> > *Sent: *Thursday, January 11, 2018 10:47 AM > >> > *To: *users@lists.strongswan.org <mailto:users@lists.strongswan.org> > >> > *Subject: *[strongSwan] dpd not getting triggered > >> > > >> > > >> > > >> > Hi, > >> > > >> > I am using strongswan version 5.6.1 > >> > I found that even though I configured dpd using dpddelay and > >> > dpdtimeout, dpd is not getting triggered from strongswan client at all > >> > even though there is no traffic passing. > >> > Please let me know how to debug this. > >> > > >> > > >> > config setup > >> > charondebug=all > >> > # crlcheckinterval=600 > >> > # strictcrlpolicy=yes > >> > # cachecrls=yes > >> > # nat_traversal=yes > >> > # charonstart=no > >> > > >> > conn %default > >> > ikelifetime=100m > >> > keylife=20m > >> > rekeymargin=8m > >> > keyingtries=1 > >> > authby=psk > >> > keyexchange=ikev2 > >> > ike=aes256-sha256-modp1024 > >> > esp=3des-sha1 > >> > mobike=yes > >> > dpddelay=5s > >> > dpdtimeout=150s > >> > > >> > # Add connections here. > >> > > >> > # Add connections here. > >> > conn net-net > >> > left=10.127.47.104 > >> > leftsubnet=10.127.47.104/32 > >> > leftid=10.127.47.104 > >> > right=10.104.108.110 > >> > rightsubnet=10.104.108.110/32 > >> > rightid=10.104.108.110 > >> > auto=start > >> > > >> > ~ > >> > Regards, > >> > kalyani > >> > > >> > >> -- > >> ====================================================================== > >> Andreas Steffen andreas.stef...@strongswan.org > >> strongSwan - the Open Source VPN Solution! www.strongswan.org > >> Institute for Networked Solutions > >> HSR University of Applied Sciences Rapperswil > >> CH-8640 Rapperswil (Switzerland) > >> ===========================================================[INS-HSR]== > >> > >> > > -- Rhinos can fly, It's just a case of mind over matter ... ... And you need a lot of mind to control that much matter ...