alice::ip xfrm policy flush::no output expected::NO
alice::ip xfrm state flush::no output expected::NO
alice::killall -9 starter charon::no output expected::NO
-carol::sleep 3::no output expected::NO
+carol::sleep 2::no output expected::NO
moon:: cat /var/log/daemon.log::no heartbeat received, taking all segments::YES
moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*mars.strongswan.org.*carol@strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*mars.strongswan.org.*dave@strongswan.org::YES
The roadwarrior <b>carol</b> sets up an IPsec tunnel connection to the gateway <b>moon</b>
which in turn activates <b>Dead Peer Detection</b> (DPD) with a polling interval of 10 s.
When the network connectivity between <b>carol</b> and <b>moon</b> is forcefully disrupted,
-<b>moon</b> clears the connection after 4 unsuccessful retransmits.
+<b>moon</b> clears the connection after a number of unsuccessful retransmits.
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
-moon:: sleep 60::no output expected::NO
+moon:: sleep 16::no output expected::NO
moon:: cat /var/log/daemon.log::sending DPD request::YES
-moon::cat /var/log/daemon.log::DPD check timed out, enforcing DPD action::YES
+moon:: cat /var/log/daemon.log::DPD check timed out, enforcing DPD action::YES
moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO
keyingtries=1
keyexchange=ikev1
dpdaction=clear
- dpddelay=10
- dpdtimeout=45
+ dpddelay=5
+ dpdtimeout=15
conn rw
left=PH_IP_MOON
The roadwarrior <b>carol</b> sets up an IPsec tunnel connection to the gateway
<b>moon</b>. Both end points activate <b>Dead Peer Detection</b> (DPD) with a
-polling interval of 10 s. When the network connectivity between <b>carol</b>
-and <b>moon</b> is forcefully disrupted for a duration of 100 s, <b>moon</b>
-clears the connection after 4 unsuccessful retransmits whereas <b>carol</b>
+polling interval of 10s. When the network connectivity between <b>carol</b>
+and <b>moon</b> is forcefully disrupted for a duration of 100s, <b>moon</b>
+clears the connection after a number of unsuccessful retransmits whereas <b>carol</b>
also takes down the connection but immediately tries to reconnect which succeeds
as soon as the connection becomes available again.
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
-carol::sleep 60::no output expected::NO
+carol::sleep 16::no output expected::NO
carol::cat /var/log/daemon.log::sending DPD request::YES
carol::cat /var/log/daemon.log::DPD check timed out, enforcing DPD action::YES
carol::cat /var/log/daemon.log::restarting CHILD_SA home::YES
carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
-carol::sleep 10::no output expected::NO
+carol::sleep 1::no output expected::NO
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
keyingtries=1
keyexchange=ikev1
dpdaction=restart
- dpddelay=10
- dpdtimeout=45
+ dpddelay=5
+ dpdtimeout=15
conn home
left=PH_IP_CAROL
charon {
load = test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
-
- retransmit_timeout = 2
- retransmit_base = 1.5
- retransmit_tries = 3
}
The roadwarrior <b>carol</b> sets up an IPsec tunnel connection to the gateway <b>moon</b>
which in turn activates <b>Dead Peer Detection</b> (DPD) with a polling interval of 10 s.
When the network connectivity between <b>carol</b> and <b>moon</b> is forcefully disrupted,
-<b>moon</b> clears the connection after 4 unsuccessful retransmits.
+<b>moon</b> clears the connection after a number of unsuccessful retransmits.
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
-moon:: sleep 180::no output expected::NO
+moon:: sleep 13::no output expected::NO
moon:: cat /var/log/daemon.log::sending DPD request::YES
moon:: cat /var/log/daemon.log::retransmit.*of request::YES
-moon:: cat /var/log/daemon.log::giving up after 5 retransmits::YES
+moon:: cat /var/log/daemon.log::giving up after.*retransmits::YES
moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
-carol::sleep 180::no output expected::NO
+carol::sleep 13::no output expected::NO
carol::cat /var/log/daemon.log::sending DPD request::YES
carol::cat /var/log/daemon.log::retransmit.*of request::YES
-carol::cat /var/log/daemon.log::giving up after 5 retransmits::YES
+carol::cat /var/log/daemon.log::giving up after.*retransmits::YES
carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
carol::ping -c 1 PH_IP_ALICE::trigger route::NO
-carol::sleep 2::no output expected::NO
+carol::sleep 1::no output expected::NO
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
-carol::sleep 180::no output expected::NO
+carol::sleep 13::no output expected::NO
carol::cat /var/log/daemon.log::sending DPD request::YES
carol::cat /var/log/daemon.log::retransmit.*of request::YES
-carol::cat /var/log/daemon.log::giving up after 5 retransmits::YES
+carol::cat /var/log/daemon.log::giving up after.*retransmits::YES
carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
-carol::sleep 10::no output expected::NO
+carol::sleep 1::no output expected::NO
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
The peers <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the remote end
-is defined symbolically by <b>right=<hostname></b>. The ipsec starter resolves the
+is defined symbolically by <b>right=<hostname></b>. The IKE daemon resolves the
fully-qualified hostname into the current IP address via a DNS lookup (simulated by an
/etc/hosts entry). Since the peer IP addresses are expected to change over time, the option
-<b>rightallowany=yes</b> will allow an IKE_SA rekeying to arrive from an arbitrary
+<b>%</b> prefix in the <b>right</b> option will allow an IKE_SA rekeying to arrive from an arbitrary
IP address under the condition that the peer identity remains unchanged. When this happens
the old tunnel is replaced by an IPsec connection to the new origin.
<p>
In this scenario <b>carol</b> first initiates a tunnel to <b>moon</b>. After some time <b>carol</b>
suddenly changes her IP address and restarts the connection to <b>moon</b> without deleting the
old tunnel first (simulated by iptables blocking IKE packets to and from
-<b>carol</b> and starting the connection from host <b>dave</b> using <b>carol</b>'s identity).
+<b>carol</b> and starting the connection from host <b>dave</b> using <b>carol</b>'s identity).
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::sleep 15::NO
+carol::sleep 11::NO
carol::cat /var/log/daemon.log::deleting CHILD_SA after 10 seconds of inactivity::YES
moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO
carol::ipsec status 2> /dev/null::home.*INSTALLED::NO
be established successfully by contacting a valid OCSP URI contained in
<b>carol</b>'s certificate.
<p>
-As an additional test the OCSP response is delayed by 5 seconds in order to check
+As an additional test the OCSP response is delayed by a few seconds in order to check
the correct handling of retransmitted IKE_AUTH messages.
echo ""
# simulate a delayed response
-sleep 5
+sleep 2
cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-rkey ocspKey.pem -rsigner ocspCert.pem \
charon {
load = test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
-
- retransmit_timeout = 2
- retransmit_base = 1.5
- retransmit_tries = 3
}
charon {
load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default
- retransmit_timeout = 2
- retransmit_base = 1.5
- retransmit_tries = 3
initiator_only = yes
integrity_test = yes
charon {
load = test-vectors pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-netlink socket-default
- retransmit_timeout = 2
- retransmit_base = 1.5
- retransmit_tries = 3
initiator_only = yes
integrity_test = yes
multiple_authentication=no
+ retransmit_tries = 5
+
plugins {
eap-tnc {
protocol = tnccs-1.1
multiple_authentication = no
+ retransmit_tries = 5
+
plugins {
tnc-imc {
preferred_language = de
charon {
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ retransmit_timeout =
+
plugins {
eap-ttls {
max_message_count = 0
charon {
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
- plugins {
+ retransmit_timeout =
+
+ plugins {
eap-ttls {
max_message_count = 0
}
charon {
load = aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 curl revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ retransmit_timeout =
+
multiple_authentication = no
plugins {
charon {
load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ retransmit_timeout =
+
multiple_authentication = no
plugins {
tnc-imc {
charon {
load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
+ retransmit_timeout =
+
multiple_authentication = no
plugins {
projects / thirdparty / strongswan.git / commitdiff
