[Openswan Users] DPD-Problems using OpenSwan V2.6.22 on Kernel V2.6.27.28
David McCullough
David_Mccullough at securecomputing.com
Sun Aug 2 09:01:53 EDT 2009
Jivin Michael Niehren lays it down ...
> Hi Paul,
>
> i've just playing around a bit more with then new Version under Kernel V2.6.27.28
> and i got no more crashes.
>
> I have here 2 running machines (V2.6.27.28) with 10 and 19 VPN-Connections. The VPN-Partner is
> in most cases Strongswan V2.5.7 under Kernel V2.4.37.
> The connections are all working without problems as long as i don't use DPD.
> If i am using DPD it work's for a while and then i got errors of the form:
>
> Jul 29 15:38:33 pluto[7169]: "buero_michael" #182: DPD: No response from peer - declaring peer dead
> Jul 29 15:38:33 pluto[7169]: "buero_michael" #182: DPD: Clearing Connection
>
> But i could definitely say, that the VPN-Partner is avaliable at the time the error occurs. And
> i got for all my connections such errors after a while. After the error, the VPN is going down and
> build up again after a few seconds.
>
> Sometimes i also got an error like 'could not find phase 1 state for DPD'
>
> Maybe there is something wrong in the DPD code.
>
> Could you please take a look at it or let me know how can i help more for debugging.
I have been seeing the same thing. Try setting 'nhelpers = 0' in the
'config setup' section of ipsec.conf.
Seems that when async crypto is enabled it occasionally causes pluto to get
the IV/key confused on at least the DPD packets. I'm still trying to figure
out why, but disabling helpers has stopped it happening in my testing so
far.
Cheers,
Davidm
--
David McCullough, david_mccullough at securecomputing.com, Ph:+61 734352815
McAfee - SnapGear http://www.snapgear.com http://www.uCdot.org
More information about the Users
mailing list