[Openswan Users] DPD-Problems using OpenSwan V2.6.22 on Kernel V188.8.131.52
David_Mccullough at securecomputing.com
Sun Aug 2 09:01:53 EDT 2009
Jivin Michael Niehren lays it down ...
> Hi Paul,
> i've just playing around a bit more with then new Version under Kernel V184.108.40.206
> and i got no more crashes.
> I have here 2 running machines (V220.127.116.11) with 10 and 19 VPN-Connections. The VPN-Partner is
> in most cases Strongswan V2.5.7 under Kernel V2.4.37.
> The connections are all working without problems as long as i don't use DPD.
> If i am using DPD it work's for a while and then i got errors of the form:
> Jul 29 15:38:33 pluto: "buero_michael" #182: DPD: No response from peer - declaring peer dead
> Jul 29 15:38:33 pluto: "buero_michael" #182: DPD: Clearing Connection
> But i could definitely say, that the VPN-Partner is avaliable at the time the error occurs. And
> i got for all my connections such errors after a while. After the error, the VPN is going down and
> build up again after a few seconds.
> Sometimes i also got an error like 'could not find phase 1 state for DPD'
> Maybe there is something wrong in the DPD code.
> Could you please take a look at it or let me know how can i help more for debugging.
I have been seeing the same thing. Try setting 'nhelpers = 0' in the
'config setup' section of ipsec.conf.
Seems that when async crypto is enabled it occasionally causes pluto to get
the IV/key confused on at least the DPD packets. I'm still trying to figure
out why, but disabling helpers has stopped it happening in my testing so
David McCullough, david_mccullough at securecomputing.com, Ph:+61 734352815
McAfee - SnapGear http://www.snapgear.com http://www.uCdot.org
More information about the Users