Project

General

Profile

Issue #3685

giving up after 5 retransmits

Added by Abed Itani 8 months ago. Updated 8 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
-
Affected version:
5.8.2
Resolution:

Description

Hello,

thank you for the great product and great support,

i am facing the a problem with IKE_DPD, the problem is with IOS devices, the connection is dropped after a while,

please help i have been trying to resolve this for days with no luck, i have gone through old cases and tried alot of settings, this problem is only on IOS devices,

i have attached the messages.log file with X.X.X.X the public ip of the server and Y.Y.Y.Y is the public ip of the client, the client private ip address is 10.15.1.2

in the logs you can see "12:41:55.770 §Jan 31 10:41:58 NewVPNServer charon1155: 15[IKE] sending DPD request"

then 5 retransmits

attached is my ipsec.conf
CentOS8
Strongswan Version 5.8.2

quick question: is there a way to get the latest strongswan version on centos if its not available on epel?

thank you,

ipsec.conf (810 Bytes) ipsec.conf ipsec.conf Abed Itani, 31.01.2021 11:22
messages.log (1.47 MB) messages.log messages.log Abed Itani, 31.01.2021 11:28

History

#1 Updated by Tobias Brunner 8 months ago

  • Status changed from New to Feedback

Is that your complete config? And the one that was in use when the log file was created? Because I don't see a dpddelay, i.e. the server should not actively initiate any DPD exchanges.

in the logs you can see "12:41:55.770 §Jan 31 10:41:58 NewVPNServer charon1155: 15[IKE] sending DPD request"

So the device is not reachable anymore? Not sure what magic solution you imagine for this. But if the client device e.g. often goes to sleep and is not reachable, you probably don't want to send DPDs from the server (at least not very often).

quick question: is there a way to get the latest strongswan version on centos if its not available on epel?

No idea, try contacting the package maintainers.

#2 Updated by Abed Itani 8 months ago

Dear Tobias,

appreciate the support,

i am in contact with the package maintainers to update the package on EPEL, i will try my best to keep your software updated on EPEL from now on,

please do you mind sharing your best practice ipsec.conf for IOS devices, and if there is any extra changes that should be made on other files,

thank you,

have a great day,

Tobias Brunner wrote:

Is that your complete config? And the one that was in use when the log file was created? Because I don't see a dpddelay, i.e. the server should not actively initiate any DPD exchanges.

in the logs you can see "12:41:55.770 §Jan 31 10:41:58 NewVPNServer charon1155: 15[IKE] sending DPD request"

So the device is not reachable anymore? Not sure what magic solution you imagine for this. But if the client device e.g. often goes to sleep and is not reachable, you probably don't want to send DPDs from the server (at least not very often).

quick question: is there a way to get the latest strongswan version on centos if its not available on epel?

No idea, try contacting the package maintainers.

#3 Updated by Tobias Brunner 8 months ago

please do you mind sharing your best practice ipsec.conf for IOS devices, and if there is any extra changes that should be made on other files,

See AppleClients and UsableExamples.

Also available in: Atom PDF