[Openswan Users] DPD-Problems using OpenSwan V2.6.22 on Kernel V2.6.27.28

David McCullough David_Mccullough at securecomputing.com
Sun Aug 2 09:01:53 EDT 2009

Jivin Michael Niehren lays it down ...
> Hi Paul,
> i've just playing around a bit more with then new Version under Kernel V2.6.27.28
> and i got no more crashes.
> I have here 2 running machines (V2.6.27.28) with 10 and 19 VPN-Connections. The VPN-Partner is
> in most cases Strongswan V2.5.7 under Kernel V2.4.37.
> The connections are all working without problems as long as i don't use DPD. 
> If i am using DPD it work's for a while and then i got errors of the form:
> Jul 29 15:38:33 pluto[7169]: "buero_michael" #182: DPD: No response from peer - declaring peer dead
> Jul 29 15:38:33 pluto[7169]: "buero_michael" #182: DPD: Clearing Connection
> But i could definitely say, that the VPN-Partner is avaliable at the time the error occurs. And
> i got for all my connections such errors after a while. After the error, the VPN is going down and
> build up again after a few seconds.
> Sometimes i also got an error like 'could not find phase 1 state for DPD'
> Maybe there is something wrong in the DPD code.
> Could you please take a look at it or let me know how can i help more for debugging.

I have been seeing the same thing.  Try setting 'nhelpers = 0' in the
'config setup' section of ipsec.conf.

Seems that when async crypto is enabled it occasionally causes pluto to get
the IV/key confused on at least the DPD packets.  I'm still trying to figure
out why,  but disabling helpers has stopped it happening in my testing so


David McCullough,  david_mccullough at securecomputing.com,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.com                http://www.uCdot.org

More information about the Users mailing list