[Openswan Users] IPSec, Windows XP/2000 and Dead Peer Detection

Andrej Trobentar andrej.trobentar at rikom.si
Wed Oct 12 14:04:30 CEST 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jacco de Leeuw wrote:
> Windows does not support Dead Pear Detection (DPD) so I cannot imagine
> that DPD is involved. Did you check the logs at either side to see what
> causes the disconnects?

My conn section looks like this :

conn roadwarior-l2tpd
        left=193.2.211.10
        leftnexthop=193.2.211.1
        leftprotoport=17/1701
        leftcert=rikom.sk-branik.si.pem
        right=%any
        rightprotoport=17/1701
        rightca="C=SI, ST=Slovenija, L=Maribor, O=Rikom d.o.o., ..."
        rightsubnet=vhost:%no,%priv
        dpddelay=10
        dpdtimeout=60
        dpdaction=clear
        auto=add

And when the Win 2000/XP client connects I get this lines in log :

packet from 195.246.29.56:500: received and ignored informational message
packet from 195.246.29.56:500: ignoring Vendor ID payload [MS NT5
ISAKMPOAKLEY 00000002]
packet from 195.246.29.56:500: ignoring Vendor ID payload [FRAGMENTATION]
packet from 195.246.29.56:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
"roadwarior-l2tpd"[3] 195.246.29.56 #13: responding to Main Mode from
unknown peer 195.246.29.56
"roadwarior-l2tpd"[3] 195.246.29.56 #13: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
"roadwarior-l2tpd"[3] 195.246.29.56 #13: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
"roadwarior-l2tpd"[3] 195.246.29.56 #13: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
"roadwarior-l2tpd"[3] 195.246.29.56 #13: Main mode peer ID is
ID_DER_ASN1_DN: 'C=SI, ST=Slovenija, L=Maribor, O=Rikom d.o.o., OU=VPN
Andrej Trobentar, CN=VPN Andrej Trobentar, E=andrej.trobentar at rikom.si'
"roadwarior-l2tpd"[3] 195.246.29.56 #13: crl update for "C=SI,
ST=Slovenija, L=Maribor, O=Rikom d.o.o., CN=Rikom Root Certificate,
E=admin at rikom.si" is overdue since Jul 20 09:29:14 UTC 2005
"roadwarior-l2tpd"[4] 195.246.29.56 #13: deleting connection
"roadwarior-l2tpd" instance with peer 195.246.29.56 {isakmp=#0/ipsec=#0}
"roadwarior-l2tpd"[4] 195.246.29.56 #13: I am sending my cert
"roadwarior-l2tpd"[4] 195.246.29.56 #13: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
"roadwarior-l2tpd"[4] 195.246.29.56 #13: sent MR3, ISAKMP SA established
"roadwarior-l2tpd"[4] 195.246.29.56 #13: Dead Peer Detection (RFC 3706):
not enabled because peer did not advertise it
"roadwarior-l2tpd"[4] 195.246.29.56 #14: responding to Quick Mode
{msgid:45c179e6}
"roadwarior-l2tpd"[4] 195.246.29.56 #14: transition from state
STATE_QUICK_R0 to state STATE_QUICK_R1
"roadwarior-l2tpd"[4] 195.246.29.56 #14: Dead Peer Detection (RFC 3706):
 not enabled because peer did not advertise it <-------------------------
"roadwarior-l2tpd"[4] 195.246.29.56 #14: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2
"roadwarior-l2tpd"[4] 195.246.29.56 #14: IPsec SA established
{ESP=>0x49c8296e <0x4435d67f
xfrm=3DES_0-HMAC_MD5}


So I guess the dpd* parameters in ipsec.conf don't have any efect,
because Windows doesn't support DPD :(

My co-workers are on ADSL or Cable or ISDN line and this happens on all
connections.
They said that the ADSL, Cable, ISDN connection *doesn't* disconect, but
in the middle of the work they can't reach the VPN server (or clients
behind it) anymore and after couple of seconds the VPN icon in Windows
XP/2000 dissapers. After that they can't connect to VPN gateway anymore!
They can't even ping the VPN server anymore, but the internet is working
fine. What can I check to see what is causing these disconects?

> Are those Windows clients behind NAT, by any chance? There have been a few
> NAT-T related fixes in Openswan 2.4.x. You might want to try that version.

Some of the clients are behind NAT some aren't. The problem exists in
both situations.
At the moment I'm runing openswan-2.3.1 on linux-2.4.31 kernel, but I
guess I must try the openswan-2.4.x...

- --
Thanks for the answers,

	Andrej.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFDTO29Vd/NU2yFfAoRArCNAKCBR+NqVL2PzjQINQ9Unw8mjmAWCgCffhFC
AxFxhyh8n1XUx2h7voh+ddA=
=8EQC
-----END PGP SIGNATURE-----

More information about the Users mailing list