[Swan] dead peer deduction not working

Thu Oct 21 22:14:14 UTC 2021

FYI, I'm using this test as a reference:
  https://testing.libreswan.org/v4.5-0-gf36ab1b1df-main/ikev2-liveness-02
which contains the config files; OUTPUT contains the results: west
establishes, and then east does a liveness.

the two knobs are:
  retransmit-timeout=...
  retransmit-interval=<milliseconds>
the initial retransmit interval is decayed

On Mon, 18 Oct 2021 at 11:28, Dave Houser <davehouser1 at gmail.com> wrote:
>
> > With IKEv2, pluto treats the liveness exchange (nee dpd probe) the
> > same as any other.  It uses:
> > retransmit-timeout=...
>
> I tried setting the "retransmit-timeout" setting to something lower like "5s", then readded my config and turned up the tunnel. I then cleared the SA on the Juniper, and then waited 5 seconds, nothing happened in the logs. HOwever after ~300s I see this in the logs.

FYI, liveness probes are normally silent, they only show when
something goes wrong (else they would swamp the loggs).  Enable
debugging to see them (see above).

(Hmm, next liveness probe should appear in show state output).

> Oct 18 17:17:34.768743: "to-vsrx-01" #62: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 300.047581s and NOT sending notification
> Oct 18 17:17:34.769920: "to-vsrx-01" #62: deleting IKE SA but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS
> Oct 18 17:17:34.770566: "to-vsrx-01": initiating connection 'to-vsrx-01' with serial $6 which received a Delete/Notify but must remain up per local policy

It looks like the other end deleted the SA?

> I am not clear on what the bug is here. This log entry does not appear in my logs. Is this an entry in your logs? Would be happy to open a bug, can you help clarify what the problem is and how I can recreate it in my system? apologies if I am confused.

This log line is bogus.  It's an IKEv1 hangover:

>> > "conn: "to-mx104-02" warning dpd settings are ignored unless both dpdtimeout= and dpddelay= are set"