[Swan] dpd question

Paul Wouters paul at nohats.ca
Fri Feb 1 18:14:18 UTC 2019 

On Fri, 1 Feb 2019, Kostya Vasilyev wrote:

> Oh and maybe it wasn't "connection going away" - maybe it was the server trying to establish the initial connection.
>
> It's using IKEv1 - but the other side it set to use IKEv2 only.
>
> In fact the connection is already up (using IKEv2).
>
> Could this be the reason?
>
> In any case, how do I stop these endless connection attempts?

If you have auto=start then the goal is to always be up. So even if
DPD fails, the connection will attempt to be restarted again.

If you have auto=add but issued ipsec auto --up the same applies.

The same connection should not be up with ikev2 and be trying with
ikev1.

I'm not sure why you would want it to stop trying, but you can do
that by setting keyingtries= to non-zero.

Paul

> -- 
> Kostya Vasilyev
> kman at fastmail.com
>
> On Fri, Feb 1, 2019, at 8:41 PM, Kostya Vasilyev wrote:
>> Hello,
>>
>> I've got a question about dpd.
>>
>> Right now I see the following scenario with libreswan:
>>
>> - If a remote connection goes away
>> - The server starts trying to connect (with increasing interval)
>> - The max interval is reached
>> - And then instead of deleting the connection (to which there never was
>> a response) - the connection cycle starts over
>>
>> "mytunnel" #24: STATE_MAIN_I1: retransmission; will wait 32 seconds for
>> response
>> pending IPsec SA negotiation with 89.0.0.1 "mytunnel" took too long --
>> replacing phase 1
>> "mytunnel" #21: STATE_MAIN_I1: 60 second timeout exceeded after 7
>> retransmits.  No response (or no acceptable response) to our first IKEv1
>> message
>> "mytunnel" #21: starting keying attempt 2 of an unlimited number
>> "mytunnel" #22: initiating Main Mode to replace #21
>> "mytunnel" #21: deleting state (STATE_MAIN_I1) and NOT sending
>> notification
>> "mytunnel" #22: STATE_MAIN_I1: retransmission; will wait 0.5 seconds for
>> response
>> "mytunnel" #22: STATE_MAIN_I1: retransmission; will wait 1 seconds for
>> response
>>
>> My .conf file includes these:
>>
>> 	dpddelay=30
>> 	dpdtimeout=120
>> 	dpdaction=clear
>>
>> Why do connection attempts start over again (and the connection not cleared)?
>>
>> --
>> Kostya Vasilyev
>> kman at fastmail.com
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>

More information about the Swan mailing list