Hi all,<div><br></div><div>I am trying to make a direct connection between a openswan roadwarrior client (ubuntu) and an openswan server.</div><div><br></div><div>The client's version is; Openswan U2.6.26/K2.6.35-24-generic (netkey)</div>
<div>The server's version is: 2.6.24rc4</div><div><br></div><div>The server is a VPN router.</div><div><br></div><div>Both DPD and XAUTH are enabled. The connection is established successfully, but when I unplug the cables between the peers, the client does not timeout after the DPD timeout value. I see the below logs in the /var/log/auth.log file. Can you please tell me what is wrong here? </div>
<div><br></div><div><div>Jan 4 13:36:43 msezgin-laptop pluto[6001]: "xauthclient" #1: initiating Main Mode</div><div>Jan 4 13:36:43 msezgin-laptop pluto[6001]: "xauthclient" #1: ignoring unknown Vendor ID payload [4f454a64436d56714e727861]</div>
<div>Jan 4 13:36:43 msezgin-laptop pluto[6001]: "xauthclient" #1: received Vendor ID payload [Dead Peer Detection]</div><div>Jan 4 13:36:43 msezgin-laptop pluto[6001]: "xauthclient" #1: received Vendor ID payload [XAUTH]</div>
<div>Jan 4 13:36:43 msezgin-laptop pluto[6001]: "xauthclient" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2</div><div>Jan 4 13:36:43 msezgin-laptop pluto[6001]: "xauthclient" #1: STATE_MAIN_I2: sent MI2, expecting MR2</div>
<div>Jan 4 13:36:44 msezgin-laptop pluto[6001]: "xauthclient" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3</div><div>Jan 4 13:36:44 msezgin-laptop pluto[6001]: "xauthclient" #1: STATE_MAIN_I3: sent MI3, expecting MR3</div>
<div>Jan 4 13:36:44 msezgin-laptop pluto[6001]: "xauthclient" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.2.142'</div><div>Jan 4 13:36:44 msezgin-laptop pluto[6001]: "xauthclient" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4</div>
<div>Jan 4 13:36:44 msezgin-laptop pluto[6001]: "xauthclient" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_md5 group=modp1536}</div><div>Jan 4 13:36:44 msezgin-laptop pluto[6001]: "xauthclient" #1: Dead Peer Detection (RFC 3706): enabled</div>
<div>Jan 4 13:36:49 msezgin-laptop pluto[6001]: "xauthclient" #1: XAUTH: Answering XAUTH challenge with user='guest1'</div><div>Jan 4 13:36:49 msezgin-laptop pluto[6001]: "xauthclient" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1</div>
<div>Jan 4 13:36:49 msezgin-laptop pluto[6001]: "xauthclient" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set</div><div>Jan 4 13:36:49 msezgin-laptop pluto[6001]: "xauthclient" #1: Dead Peer Detection (RFC 3706): enabled</div>
<div>Jan 4 13:36:49 msezgin-laptop pluto[6001]: "xauthclient" #1: XAUTH: Successfully Authenticated</div><div>Jan 4 13:36:49 msezgin-laptop pluto[6001]: "xauthclient" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1</div>
<div>Jan 4 13:36:49 msezgin-laptop pluto[6001]: "xauthclient" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set</div><div>Jan 4 13:36:49 msezgin-laptop pluto[6001]: "xauthclient" #1: Dead Peer Detection (RFC 3706): enabled</div>
<div>Jan 4 13:36:49 msezgin-laptop pluto[6001]: "xauthclient" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1 msgid:057c1ccd proposal=defaults pfsgroup=OAKLEY_GROUP_MODP1536}</div>
<div>Jan 4 13:36:50 msezgin-laptop pluto[6001]: "xauthclient" #2: Dead Peer Detection (RFC 3706): enabled</div><div>Jan 4 13:36:50 msezgin-laptop pluto[6001]: "xauthclient" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2</div>
<div>Jan 4 13:36:50 msezgin-laptop pluto[6001]: "xauthclient" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x4ba891cf <0xd62162fc xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}</div>
<div><font class="Apple-style-span" color="#FF0000">Jan 4 13:37:20 msezgin-laptop pluto[6001]: "xauthclient" #2: DPD: could not find newest phase 1 state</font></div></div><div><br></div><div><br></div><div>My client's ipsec.conf file is as below:</div>
<div><br></div><div><div>config setup</div><div> # Do not set debug options to debug configuration issues!</div><div> # plutodebug / klipsdebug = "all", "none" or a combation from below:</div>
<div> # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"</div><div> # eg:</div><div> # plutodebug="control parsing"</div><div> #</div><div> # enable to get logs per-peer</div>
<div> # plutoopts="--perpeerlog"</div><div> #</div><div> # Again: only enable plutodebug or klipsdebug when asked by a developer</div><div> #</div><div> # NAT-TRAVERSAL support, see README.NAT-Traversal</div>
<div> #nat_traversal=yes</div><div> # exclude networks used on server side by adding %v4:!a.b.c.0/24</div><div> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12</a></div>
<div> # OE is now off by default. Uncomment and change to on, to enable.</div><div> oe=off</div><div> # which IPsec stack to use. netkey,klips,mast,auto or none</div><div> protostack=netkey</div>
<div><br></div><div>conn xauthclient</div><div> left=%defaultroute</div><div> leftxauthclient=yes</div><div> right=192.168.2.142</div><div> rightsubnet=<a href="http://192.168.0.0/24">192.168.0.0/24</a></div>
<div> rightsourceip=192.168.0.1</div><div> dpddelay=30</div><div> dpdtimeout=120</div><div> dpdaction=hold</div><div> authby=secret</div><div> auto=add</div></div><div><br></div>