<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <br>
    <br>
    <div class="moz-cite-prefix">On 02/05/2019 19:19, Paul Wouters
      wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:alpine.LRH.2.21.1905021418240.1269@bofh.nohats.ca">
      <br>
      On Thu, 2 May 2019, Nick Howitt wrote:
      <br>
      <br>
      <blockquote type="cite">      I have an IKEv2 conn with one end
        behind NAT:
        <br>
              Nat'd (remote):
        <br>
              conn nick-ikev2
        <br>
               type=tunnel
        <br>
               authby=secret
        <br>
               auto=start
        <br>
               left=10.20.40.248
        <br>
               leftsourceip=192.168.20.1
        <br>
               leftsubnet=192.168.20.0/24
        <br>
               leftid=@clearos_in_clearvm
        <br>
               right=my.fqdn
        <br>
               rightsubnet=172.17.2.0/24
        <br>
               rightid=@nick
        <br>
               ikev2=insist
        <br>
               dpdaction=restart
        <br>
               dpdtimeout=120
        <br>
               dpddelay=30
        <br>
      </blockquote>
      <br>
      looks ok.
      <br>
      <br>
      <blockquote type="cite">      Other (local) end:
        <br>
              conn nick-ikev2
        <br>
               type=tunnel
        <br>
               authby=secret
        <br>
               auto=add
        <br>
               left=%any
        <br>
               #left=209.90.117.194
        <br>
               leftsubnet=192.168.20.0/24
        <br>
               leftid=@clearos_in_clearvm
        <br>
               right=%defaultroute
        <br>
               rightsubnet=172.17.2.0/24
        <br>
               rightsourceip=172.17.2.1
        <br>
               rightid=@nick
        <br>
               ikev2=insist
        <br>
               dpdaction=restart
        <br>
               dpdtimeout=120
        <br>
               dpddelay=30
        <br>
               rekey=no
        <br>
      </blockquote>
      <br>
      auto=add with rekey=no should have dpdaction=clear and not
      restart. As
      <br>
      it cannot start to the endpoint behind NAT.
      <br>
      <br>
      <blockquote type="cite">      Using
        libreswan-3.25-4.1.el7_6.x86_64.
        <br>
      </blockquote>
      <br>
      Can you run with plutodebug=all then egrep -i dpd over the log?
      <br>
      <br>
      Paul
      <br>
    </blockquote>
    The output is not very helpful!<br>
    <br>
    [root@ad-dc-server ~]# grep dpd -i  /var/log/libreswan<br>
    May  2 20:30:47.371103: "nick-ikev2" #2: STATE_V2_IPSEC_I: IPsec SA
    established tunnel mode {ESP/NAT=>0x6e8287b3 <0x5b64618f
    xfrm=AES_GCM_16_256-NONE NATOA=none NATD=90.255.224.113:4500
    DPD=active}<br>
    May  2 20:30:47.371141: | dpd enabled, scheduling ikev2 liveness
    checks<br>
    <br>
    and that is is. I let it run for about 7 minutes after I replaced
    the conn at the other end. Do you want the full log?<br>
    <br>
    Nick<br>
  </body>
</html>