[Swan] dead peer deduction not working
Andrew Cagney
andrew.cagney at gmail.com
Sat Oct 16 00:07:18 UTC 2021
Are you running libreswan 4.5? If not can you try that or mainline?
This is what 4.5 looks like when it revives a connection:
"westnet-eastnet-ipv4-psk-ikev2" #1: STATE_V2_ESTABLISHED_IKE_SA:
retransmission; will wait 1 seconds for response
"westnet-eastnet-ipv4-psk-ikev2" #1: STATE_V2_ESTABLISHED_IKE_SA: 60
second timeout exceeded after 7 retransmits. No response (or no
acceptable response) to our IKEv2 message
"westnet-eastnet-ipv4-psk-ikev2" #1: liveness action - restarting all
connections that share this peer
"westnet-eastnet-ipv4-psk-ikev2": terminating SAs using this connection
"westnet-eastnet-ipv4-psk-ikev2" #2: ESP traffic information: in=84B out=84B
"westnet-eastnet-ipv4-psk-ikev2" #3: initiating IKEv2 connection
"westnet-eastnet-ipv4-psk-ikev2" #3: established IKE SA; authenticated
using authby=secret and peer ID_FQDN '@west'
"westnet-eastnet-ipv4-psk-ikev2" #4: established Child SA; IPsec
tunnel [192.0.2.0-192.0.2.255:0-65535 0] ->
[192.0.1.0-192.0.1.255:0-65535 0] {ESP=>0x5ef243d3 <0xdb669f85
xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=active}
https://testing.libreswan.org/v4.5-0-gf36ab1b1df-main/ikev2-liveness-02/OUTPUT/east.pluto.log.gz
For IKEv2 the only settings that matter are (values are what the above
test uses):
> dpdaction=restart
> dpddelay=5
I'm pretty sure:
> dpdtimeout=30
is ignored - in IKEv2 it is a retransmit timeout that will trigger a restart.
On Fri, 15 Oct 2021 at 17:34, Dave Houser <davehouser1 at gmail.com> wrote:
>
> Hello,
>
> I am trying to implement dead peer detection. However when the far end SA kills the connection, the tunnel is never rebuilt. The tunnel will just stay down until a new rekey is initialized by the far end SA, in which case the connection will rebuild. BTW the far end is a Juniper SRX.
>
> Here is the output of /var/log/pluto.log right after I kill the connection on the far end, nothing else:
>
> Oct 15 23:33:10.518021: "to-vsrx-01" #6: ESP traffic information: in=756B out=1KB
> Oct 15 23:33:10.584609: "to-vsrx-01" #3: established IKE SA
>
>
> Here is my config:
>
> conn to-vsrx-01
> auto=start
> keyexchange=ike
> authby=secret
> ike=aes256-sha2_256;dh20
> esp=aes256-sha2_256
> left=2.2.1.2
> leftid=2.2.1.2
> leftsubnet=172.21.0.0/29
> leftupdown=/opt/_updown_vti01
> right=3.3.0.2
> rightsubnet=0.0.0.0/0
> dpddelay=1s
> dpdtimeout=1s
> dpdaction=restart
>
> Here is my leftupdown script I use
>
> #!/bin/bash
>
> set -o nounset
> set -o errexit
>
> VTI_IF="vti01"
>
> case "${PLUTO_VERB}" in
> up-client)
> ip tunnel add $VTI_IF local 2.2.0.2 remote 3.3.0.2 mode vti key 42
> ip link set $VTI_IF up
> ip addr add 172.21.0.3 dev $VTI_IF
> ip route add 172.21.0.0/29 dev $VTI_IF
> ip route add 10.0.26.0/24 dev $VTI_IF
> sysctl -w "net.ipv4.conf.$VTI_IF.disable_policy=1"
> sysctl -w "net.ipv4.conf.$VTI_IF.rp_filter=0"
> sysctl -w "net.ipv4.conf.$VTI_IF.forwarding=1"
> ;;
> down-client)
> ip tunnel del $VTI_IF
> ;;
> esac
>
> Am I misunderstanding what the dpd settings do? I need this tunnel to try to re-establish if it ever goes down. How can I accomplish this?
>
> - Dave
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
More information about the Swan
mailing list