[vpnc-devel] Dead Peer Detection fix

Mihai Maties mihai at xcyb.org
Tue Dec 28 11:09:26 CET 2010


The Dead Peer Detection mechanism implemented in vpnc has a small
issue. A lot of people are complaining about connections being dropped
with the following error message logged:

    "connection terminated by dead peer detection"

This is caused by vpnc sending incorrect sequence numbers to the VPN
concentrator. The sequence numbers should be sent in big-endian byte
order, however they are sent in little-endian byte-order (on some

The initial SeqNo sent by vpnc is randomly chosen and it is
subsequently incremented. However when the least significant byte
rolls over (from vpnc's point of view) the other end notices that the
current SeqNo is less than the previous SeqNo.

This is an error message from a Cisco ASA showing the problem:

  Dec 20 02:48:26 %ASA-6-713124: Group = somegroup,
Username = user.name, IP =, Received DPD sequence number
0x952942 in R_U_THERE, Next expected sequence number should be greater
than 0xff942942

vpnc SeqNo     real SeqNo
-----------    -----------
42 29 94 fd    fd 94 29 42
42 29 94 fe    fe 94 29 42
42 29 94 ff    ff 94 29 42
42 29 95 00    00 95 29 42     <--- real SeqNo is less than previous one

Depending on the initial [random] sequence number, the bug will
terminate the connection on the first DPD sent or it could survive 255
DPDs (in the most favourable case).

I created a patch [1] that uses htonl/ntohl macros to fix this.

Best regards,
Mihai Maties

[1]    http://xcyb.org/vpnc/dpd_big-endian.diff

More information about the vpnc-devel mailing list