Hi Paul,<br><br>I upgraded them (both server and client side) to 2.6.32 but the problem is still here. It works fine if I don't use XAUTH. If I enabled XAUTH the issue happens. The below is the client's log messages which may be critical for DPD. I say "may be", because I am not very familiar with the code.<br>
<br>Have you ever tested openswan's DPD feature with XAUTH enabled? I read from the ipsec.conf man page that the xauth connections cannot to rekey, so I also disabled the rekey on the both sides, but it also did not help. Why I did this? Because on the client side side I see ""xauthclient" #2: DPD: could not find newest phase 1 state", and some google searches took me to disable rekey.<br>
<br>Regards,<br>Murat<br><br>Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | 31 bc 27 bb 76 4f 1e 84 8f 7c 21 02 99 53 ba 5a<br>Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | unpadded size is: 20<br>Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | emitting 12 zero bytes of encryption padding into ISAKMP Message<br>
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | encrypting 32 using OAKLEY_AES_CBC<br>Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | next IV: e8 41 37 50 87 a0 ce 2a 1e 58 44 f0 b1 9c 52 21<br>Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | emitting length of ISAKMP Message: 60<br>
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | inR1_outI2: instance xauthclient[0], setting newest_ipsec_sa to #2 (was #0) (spd.eroute=#2)<br>Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | ICOOKIE: 06 b9 09 7c a0 c2 b4 5c<br>
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | RCOOKIE: 6c ec 8b 27 c2 9f fd ba<br>Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | state hash entry 30<br>Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | v1 peer and cookies match on #2, provided msgid 00000000 vs 903dd311<br>
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | v1 peer and cookies match on #1, provided msgid 00000000 vs 00000000<br>Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | v1 state object #1 found, in STATE_XAUTH_I1<br>Jan 5 13:27:40 xxxxx-laptop pluto[11823]: "xauthclient" #2: Dead Peer Detection (RFC 3706): enabled<br>
<span style="color: rgb(255, 0, 0);">Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | state: 2 requesting event none to be deleted by /home/xxxxx/Downloads/openswan-2.6.32/programs/pluto/dpd.c:162</span><br style="color: rgb(255, 0, 0);">
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | inserting event EVENT_DPD, timeout in 30 seconds for #2<br>Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | event added after event EVENT_DPD for #1<br><span style="color: rgb(255, 0, 0);">Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | state: 1 requesting event EVENT_DPD to be deleted by /home/xxxxx/Downloads/openswan-2.6.32/programs/pluto/dpd.c:174</span><br style="color: rgb(255, 0, 0);">
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | complete state transition with STF_OK<br>Jan 5 13:27:40 xxxxx-laptop pluto[11823]: "xauthclient" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2<br>
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | deleting event for #2<br>Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | sending reply packet to <a href="http://192.168.2.142:500">192.168.2.142:500</a> (from port 500)<br>Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | sending 60 bytes for STATE_QUICK_I1 through eth0:500 to <a href="http://192.168.2.142:500">192.168.2.142:500</a> (using #2)<br>
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | 06 b9 09 7c a0 c2 b4 5c 6c ec 8b 27 c2 9f fd ba<br>Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | 08 10 20 01 90 3d d3 11 00 00 00 3c af 7f fc a6<br>Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | c2 77 31 62 69 14 26 ae 93 39 fd f1 e8 41 37 50<br>
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | 87 a0 ce 2a 1e 58 44 f0 b1 9c 52 21<br>Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | inserting event EVENT_SA_REPLACE, timeout in 28118 seconds for #2<br>Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | event added after event EVENT_REINIT_SECRET<br>
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: "xauthclient" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x2084c974 <0x09c7f7f1 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}<br>
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | modecfg pull: noquirk policy:push not-client<br>Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | phase 1 is done, looking for phase 2 to unpend<br>Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | complete state transition with STF_INLINE<br>
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | * processed 0 messages from cryptographic helpers <br>Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | next event EVENT_DPD in 30 seconds for #2<br><br><br><br><div class="gmail_quote">
On Tue, Jan 4, 2011 at 6:50 PM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@xelerance.com">paul@xelerance.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im">On Tue, 4 Jan 2011, Murat Sezgin wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
The client's version is; Openswan U2.6.26/K2.6.35-24-generic (netkey)<br>
The server's version is: 2.6.24rc4<br>
</blockquote>
<br>
</div><div class="im"><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Both DPD and XAUTH are enabled. The connection is established<br>
successfully, but when I unplug the cables between the peers, the client<br>
does not timeout after the DPD timeout value. I see the below logs in the<br>
</blockquote>
<br></div>
Plese upgrade to 2.6.31 or 2.6.32. There were some DPD fixes that were<br>
brought in in those versions.<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
My client's ipsec.conf file is as below:<br>
</blockquote>
<br>
</div><div class="im"><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
dpddelay=30<br>
dpdtimeout=120<br>
dpdaction=hold<br>
</blockquote>
<br></div>
You probably want dpdaction=restart ?<br>
<br>
On the serve ryou want dpdaction=clear<br><font color="#888888">
<br>
Paul<br>
</font></blockquote></div><br>