IPSec IKEv2 DPD not working as expected

xdev-fred · April 14, 2023, 4:01pm

Hello,
Here is my problem, and in advance, thanks if you have time to read and help me.

I’ve 2 sites, linked with IPSec Ikev2.
Tunnels comes UP easily.

If second site become down, the first vyos router takes 120 seconds to set the “IPSec connection” down.
Even if I set the DPD delay to 2 or 5 seconds.

When I watch logs, I can see it tries to send/retransmit. But why the DPD timeout is so long ?
I known that in IKEv2, there is no “DPD” (the command timeout is not taken in account), it’s an INFORMATION message that is sent. But is there a way to detected that the remote peer is DOWN before 120 seconds ?

Apr 14 17:21:34 vyos charon: 13[IKE] <SITE2|19> retransmit 4 of request with message ID 2
Apr 14 17:21:34 vyos charon: 13[NET] <SITE2|19> sending packet: from 100.64.3.2[4500] to 100.64.2.2[4500] (57 bytes)
Apr 14 17:21:34 vyos charon: 07[IKE] <SITE2|23> retransmit 4 of request with message ID 0
Apr 14 17:21:34 vyos charon: 07[NET] <SITE2|23> sending packet: from 100.64.3.2[4500] to 100.64.2.2[4500] (57 bytes)
Apr 14 17:21:34 vyos charon: 12[IKE] <SITE2|20> retransmit 4 of request with message ID 0
Apr 14 17:21:34 vyos charon: 12[NET] <SITE2|20> sending packet: from 100.64.3.2[4500] to 100.64.2.2[4500] (57 bytes)

Apr 14 17:22:16 vyos charon: 11[IKE] <SITE2|19> retransmit 5 of request with message ID 2
Apr 14 17:22:16 vyos charon: 11[NET] <SITE2|19> sending packet: from 100.64.3.2[4500] to 100.64.2.2[4500] (57 bytes)
Apr 14 17:22:16 vyos charon: 16[IKE] <SITE2|23> retransmit 5 of request with message ID 0
Apr 14 17:22:16 vyos charon: 16[NET] <SITE2|23> sending packet: from 100.64.3.2[4500] to 100.64.2.2[4500] (57 bytes)
Apr 14 17:22:16 vyos charon: 05[IKE] <SITE2|20> retransmit 5 of request with message ID 0
Apr 14 17:22:16 vyos charon: 05[NET] <SITE2|20> sending packet: from 100.64.3.2[4500] to 100.64.2.2[4500] (57 bytes)

Apr 14 17:23:32 vyos charon: 16[IKE] <SITE2|19> giving up after 5 retransmits

Here is the configuration:

set vpn ipsec esp-group ESP_ALL_SITES mode 'tunnel'
set vpn ipsec esp-group ESP_ALL_SITES pfs 'dh-group15'
set vpn ipsec esp-group ESP_ALL_SITES proposal 1 encryption 'chacha20poly1305'
set vpn ipsec esp-group ESP_ALL_SITES proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE_ALL_SITES close-action 'restart'
set vpn ipsec ike-group IKE_ALL_SITES dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE_ALL_SITES dead-peer-detection interval '2'
set vpn ipsec ike-group IKE_ALL_SITES dead-peer-detection timeout '2'
set vpn ipsec ike-group IKE_ALL_SITES disable-mobike
set vpn ipsec ike-group IKE_ALL_SITES ikev2-reauth
set vpn ipsec ike-group IKE_ALL_SITES key-exchange 'ikev2'
set vpn ipsec ike-group IKE_ALL_SITES proposal 1 dh-group '15'
set vpn ipsec ike-group IKE_ALL_SITES proposal 1 encryption 'chacha20poly1305'
set vpn ipsec ike-group IKE_ALL_SITES proposal 1 hash 'sha256'
se
set vpn ipsec site-to-site peer SITE2 authentication local-id 'SITE-PSK'
set vpn ipsec site-to-site peer SITE2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer SITE2 authentication remote-id 'SITE-PSK'
set vpn ipsec site-to-site peer SITE2 connection-type 'initiate'
set vpn ipsec site-to-site peer SITE2 force-udp-encapsulation
set vpn ipsec site-to-site peer SITE2 ike-group 'IKE_ALL_SITES'
set vpn ipsec site-to-site peer SITE2 local-address '100.64.1.2'
set vpn ipsec site-to-site peer SITE2 remote-address '100.64.2.2'
set vpn ipsec site-to-site peer SITE2 tunnel 0 esp-group 'ESP_ALL_SITES'
set vpn ipsec site-to-site peer SITE2 tunnel 0 local prefix '100.68.0.1/32'
set vpn ipsec site-to-site peer SITE2 tunnel 0 remote prefix '100.68.0.2/32'
set vpn ipsec site-to-site peer SITE2 vti bind 'vti0'
set vpn ipsec site-to-site peer SITE2 vti esp-group 'ESP_ALL_SITES'

Here is the version:

Version:          VyOS 1.4-rolling-202304130846
Release train:    current

Built by:         [email protected]
Built on:         Thu 13 Apr 2023 08:46 UTC
Build UUID:       1d949ed4-c78a-4abb-a849-8f0d7617acd3
Build commit ID:  e52a5136ef375e

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (i440FX + PIIX, 1996)
Hardware S/N:
Hardware UUID:    ad20a665-ebd1-4c0a-a50d-94ea7988c963

Copyright:        VyOS maintainers and contributors

swanctl:

root@vyos:~# swanctl --version --pretty
strongSwan swanctl 5.9.8

Thanks a lot for your help
Regards,
Fred

n.fort · April 14, 2023, 5:59pm

Before moving on analysis, I would suggest changes in current configuration.
You have defined both policy and route-based connection:

set vpn ipsec site-to-site peer SITE2 tunnel 0 local prefix '100.68.0.1/32'
set vpn ipsec site-to-site peer SITE2 tunnel 0 remote prefix '100.68.0.2/32'
set vpn ipsec site-to-site peer SITE2 vti bind 'vti0'

Is this intentional? You should used or policy based (defining tunnels) or route-based (using vti)

xdev-fred · April 16, 2023, 1:18pm

Hi,
thanks for your reply.

I’ve done this because setting only:

set vpn ipsec site-to-site peer SITE2 tunnel 0 local prefix '100.68.0.1/32'
set vpn ipsec site-to-site peer SITE2 tunnel 0 remote prefix '100.68.0.2/32'

will not allow 100.68.0.1/32 to communicate with 100.68.0.2/32.

Furthermore, setting ‘protocol’ parameter (igp for example) do not help.

To explain more my setup: (sorry for being so restricted):

First SITE is ‘iBGP’ connected with Second SITE:

(First site)

set interfaces dummy dum0 address '100.68.0.1/32'

set protocols bgp neighbor 100.68.0.2 peer-group 'BGP_GROUP'
set protocols bgp neighbor 100.68.0.2 remote-as '4200020001'

set protocols bgp peer-group BGP_GROUP graceful-restart 'enable'
set protocols bgp peer-group BGP_GROUP local-as 4200020001
set protocols bgp peer-group BGP_GROUP update-source dum0

(Second site):

set interfaces dummy dum0 address '100.68.0.2/32'

set protocols bgp neighbor 100.68.0.2 peer-group 'BGP_GROUP'
set protocols bgp neighbor 100.68.0.1 remote-as '4200020001'

set protocols bgp peer-group BGP_GROUP graceful-restart 'enable'
set protocols bgp peer-group BGP_GROUP local-as 4200020001
set protocols bgp peer-group BGP_GROUP update-source dum0

With this kind of setup, BGP session are not ESTABLISHED and stay ACTIVE.

This is strange because when I output an ip xfrm policy:

fred@vyos# sudo ip xfrm policy
src 100.68.0.1/32 dst 100.68.0.2/32
	dir out priority 367231 ptype main
	tmpl src 100.64.1.2 dst 100.64.2.2
		proto esp spi 0xc3773abf reqid 2 mode tunnel
src 100.68.0.2/32 dst 100.68.0.1/32
	dir fwd priority 367231 ptype main
	tmpl src 100.64.2.2 dst 100.64.1.2
		proto esp reqid 2 mode tunnelsrc 0.0.0.0/0 dst 0.0.0.0/0
	socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
	socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
	socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
	socket out priority 0 ptype main
src ::/0 dst ::/0
	socket in priority 0 ptype main
src ::/0 dst ::/0
	socket out priority 0 ptype main
src ::/0 dst ::/0
	socket in priority 0 ptype main
src ::/0 dst ::/0
	socket out priority 0 ptype main

also, my VPN connections are ok: (for the two sites)

fred@vyos# run show vpn ipsec connections
Connection      State    Type    Remote address    Local TS       Remote TS      Local id    Remote id    Proposal
--------------  -------  ------  ----------------  -------------  -------------  ----------  -----------  -------------------------------------
SITE2           up       IKEv2   100.64.2.2        -              -              SITE-HIX    SITE-HIX     CHACHA20_POLY1305/None/None/MODP_3072
SITE2-tunnel-0  up       IPsec   100.64.2.2        100.68.0.1/32  100.68.0.2/32  SITE-HIX    SITE-HIX     CHACHA20_POLY1305/None/None/None

thk for your help
Regards,
Fred

xdev-fred · April 16, 2023, 1:36pm

Hello (again),
i’ve done a simple setup with only routed configuration. The behaviour is the same.

DPD are sent ok when everything works.
Then, when is shutdown remote IPSec gateway, IPSec will wait for 7 seconds to retransmit the second packet.
Then, for the third packet, it will wait 13 seconds
For the fourth one, 23 seconds
The fifth will be sent 40 seconds after the fourth.

Here are the debug lines: (debug are from the SITE1)

Apr 16 15:26:26 vyos charon: 04[NET] <SITE2|76> sending packet: from 100.64.1.2[4500] to 100.64.2.2[4500] (57 bytes)
Apr 16 15:26:26 vyos charon: 03[IKE] <SITE2|72> sending DPD request
Apr 16 15:26:26 vyos charon: 03[ENC] <SITE2|72> generating INFORMATIONAL request 28 [ ]
Apr 16 15:26:26 vyos charon: 03[NET] <SITE2|72> sending packet: from 100.64.1.2[4500] to 100.64.2.2[4500] (57 bytes)
Apr 16 15:26:26 vyos charon: 05[IKE] <SITE2|74> sending DPD request
Apr 16 15:26:26 vyos charon: 05[ENC] <SITE2|74> generating INFORMATIONAL request 28 [ ]
Apr 16 15:26:26 vyos charon: 05[NET] <SITE2|74> sending packet: from 100.64.1.2[4500] to 100.64.2.2[4500] (57 bytes)
Apr 16 15:26:30 vyos charon: 12[IKE] <SITE2|73> retransmit 1 of request with message ID 29
Apr 16 15:26:30 vyos charon: 12[NET] <SITE2|73> sending packet: from 100.64.1.2[4500] to 100.64.2.2[4500] (57 bytes)
Apr 16 15:26:30 vyos charon: 03[IKE] <SITE2|75> retransmit 1 of request with message ID 28
Apr 16 15:26:30 vyos charon: 03[NET] <SITE2|75> sending packet: from 100.64.1.2[4500] to 100.64.2.2[4500] (57 bytes)
Apr 16 15:26:30 vyos charon: 05[IKE] <SITE2|76> retransmit 1 of request with message ID 29

Apr 16 15:26:30 vyos charon: 05[NET] <SITE2|76> sending packet: from 100.64.1.2[4500] to 100.64.2.2[4500] (57 bytes)
Apr 16 15:26:30 vyos charon: 10[IKE] <SITE2|72> retransmit 1 of request with message ID 28
Apr 16 15:26:30 vyos charon: 10[NET] <SITE2|72> sending packet: from 100.64.1.2[4500] to 100.64.2.2[4500] (57 bytes)
Apr 16 15:26:30 vyos charon: 06[IKE] <SITE2|74> retransmit 1 of request with message ID 28
Apr 16 15:26:30 vyos charon: 06[NET] <SITE2|74> sending packet: from 100.64.1.2[4500] to 100.64.2.2[4500] (57 bytes)
Apr 16 15:26:37 vyos charon: 12[IKE] <SITE2|73> retransmit 2 of request with message ID 29
Apr 16 15:26:37 vyos charon: 12[NET] <SITE2|73> sending packet: from 100.64.1.2[4500] to 100.64.2.2[4500] (57 bytes)
Apr 16 15:26:37 vyos charon: 04[IKE] <SITE2|75> retransmit 2 of request with message ID 28
Apr 16 15:26:37 vyos charon: 04[NET] <SITE2|75> sending packet: from 100.64.1.2[4500] to 100.64.2.2[4500] (57 bytes)
Apr 16 15:26:37 vyos charon: 03[IKE] <SITE2|76> retransmit 2 of request with message ID 29
Apr 16 15:26:37 vyos charon: 03[NET] <SITE2|76> sending packet: from 100.64.1.2[4500] to 100.64.2.2[4500] (57 bytes)
Apr 16 15:26:37 vyos charon: 16[IKE] <SITE2|72> retransmit 2 of request with message ID 28
Apr 16 15:26:37 vyos charon: 16[NET] <SITE2|72> sending packet: from 100.64.1.2[4500] to 100.64.2.2[4500] (57 bytes)
Apr 16 15:26:37 vyos charon: 14[IKE] <SITE2|74> retransmit 2 of request with message ID 28
Apr 16 15:26:37 vyos charon: 14[NET] <SITE2|74> sending packet: from 100.64.1.2[4500] to 100.64.2.2[4500] (57 bytes)

Apr 16 15:26:50 vyos charon: 13[IKE] <SITE2|73> retransmit 3 of request with message ID 29
Apr 16 15:26:50 vyos charon: 13[NET] <SITE2|73> sending packet: from 100.64.1.2[4500] to 100.64.2.2[4500] (57 bytes)
Apr 16 15:26:50 vyos charon: 15[IKE] <SITE2|75> retransmit 3 of request with message ID 28
Apr 16 15:26:50 vyos charon: 15[NET] <SITE2|75> sending packet: from 100.64.1.2[4500] to 100.64.2.2[4500] (57 bytes)
Apr 16 15:26:50 vyos charon: 12[IKE] <SITE2|76> retransmit 3 of request with message ID 29
Apr 16 15:26:50 vyos charon: 12[NET] <SITE2|76> sending packet: from 100.64.1.2[4500] to 100.64.2.2[4500] (57 bytes)
Apr 16 15:26:50 vyos charon: 04[IKE] <SITE2|72> retransmit 3 of request with message ID 28
Apr 16 15:26:50 vyos charon: 04[NET] <SITE2|72> sending packet: from 100.64.1.2[4500] to 100.64.2.2[4500] (57 bytes)
Apr 16 15:26:50 vyos charon: 05[IKE] <SITE2|74> retransmit 3 of request with message ID 28
Apr 16 15:26:50 vyos charon: 05[NET] <SITE2|74> sending packet: from 100.64.1.2[4500] to 100.64.2.2[4500] (57 bytes)

Apr 16 15:27:13 vyos charon: 02[IKE] <SITE2|73> retransmit 4 of request with message ID 29
Apr 16 15:27:13 vyos charon: 02[NET] <SITE2|73> sending packet: from 100.64.1.2[4500] to 100.64.2.2[4500] (57 bytes)
Apr 16 15:27:13 vyos charon: 12[IKE] <SITE2|75> retransmit 4 of request with message ID 28
Apr 16 15:27:13 vyos charon: 12[NET] <SITE2|75> sending packet: from 100.64.1.2[4500] to 100.64.2.2[4500] (57 bytes)
Apr 16 15:27:13 vyos charon: 04[IKE] <SITE2|76> retransmit 4 of request with message ID 29
Apr 16 15:27:13 vyos charon: 04[NET] <SITE2|76> sending packet: from 100.64.1.2[4500] to 100.64.2.2[4500] (57 bytes)
Apr 16 15:27:13 vyos charon: 03[IKE] <SITE2|72> retransmit 4 of request with message ID 28
Apr 16 15:27:13 vyos charon: 03[NET] <SITE2|72> sending packet: from 100.64.1.2[4500] to 100.64.2.2[4500] (57 bytes)
Apr 16 15:27:14 vyos charon: 14[IKE] <SITE2|74> retransmit 4 of request with message ID 28
Apr 16 15:27:14 vyos charon: 14[NET] <SITE2|74> sending packet: from 100.64.1.2[4500] to 100.64.2.2[4500] (57 bytes)


Apr 16 15:27:55 vyos charon: 14[IKE] <SITE2|73> retransmit 5 of request with message ID 29
Apr 16 15:27:55 vyos charon: 14[NET] <SITE2|73> sending packet: from 100.64.1.2[4500] to 100.64.2.2[4500] (57 bytes)
Apr 16 15:27:55 vyos charon: 16[IKE] <SITE2|75> retransmit 5 of request with message ID 28
Apr 16 15:27:55 vyos charon: 16[NET] <SITE2|75> sending packet: from 100.64.1.2[4500] to 100.64.2.2[4500] (57 bytes)
Apr 16 15:27:55 vyos charon: 10[IKE] <SITE2|76> retransmit 5 of request with message ID 29
Apr 16 15:27:55 vyos charon: 10[NET] <SITE2|76> sending packet: from 100.64.1.2[4500] to 100.64.2.2[4500] (57 bytes)
Apr 16 15:27:55 vyos charon: 13[IKE] <SITE2|72> retransmit 5 of request with message ID 28
Apr 16 15:27:55 vyos charon: 13[NET] <SITE2|72> sending packet: from 100.64.1.2[4500] to 100.64.2.2[4500] (57 bytes)
Apr 16 15:27:56 vyos charon: 15[IKE] <SITE2|74> retransmit 5 of request with message ID 28
Apr 16 15:27:56 vyos charon: 15[NET] <SITE2|74> sending packet: from 100.64.1.2[4500] to 100.64.2.2[4500] (57 bytes)

Apr 16 15:29:11 vyos charon: 03[IKE] <SITE2|73> giving up after 5 retransmits

Globally, timeout is 120 seconds. Event if I set dpd to 2 seconds.

Regards,
Fred