Hi,<br><br>Â I want to ask how to correctly set up DPD on both sides - peer to peer connection.<br><br>left_subnet -- left_ipsec_gateway(A) (can be a client - initiator / static public IP) --> internet <-- right_ipsec_gateway(B) (can be a server / static public IP) -- right_subnet<br>
<br>Now all seems to be working correctly but I read that for static peers I shouldn't use dpdaction=clear. I use dpdaction=clear because I have problems with re-establishing connection between left_subnet and right_subnet after internet connection lost/recovery.<br>
<br>I tried these combinations:<br><br>(A) hold / (B) hold - ISAKMP SA established, IPsec SA established, can't ping between left_subnet and right_subnet after internet connection lost/recovery, ipsec restart on (B) helped<br>
(A) hold / (B) restart_by_peer - ISAKMP SA established, IPsec SA established, can't
ping between left_subnet and right_subnet after internet connection
lost/recovery, ipsec restart on (B) helped<br>(A) restart_by_peer / (B) hold - ISAKMP SA established, IPsec SA established, can't
ping between left_subnet and right_subnet after internet connection
lost/recovery, ipsec restart on (B) helped<br>(A) restart_by_peer / (B) restart_by_peer - ISAKMP SA established, IPsec SA established, can't
ping between left_subnet and right_subnet after internet connection
lost/recovery, ipsec restart on (B) helped<br>(A) restart_by_peer / (B) restart - ISAKMP SA established, IPsec SA established, can't
ping between left_subnet and right_subnet after internet connection
lost/recovery<br><br>(A) restart_by_peer / (B) clear - ISAKMP SA established, IPsec SA established, can
ping between left_subnet and right_subnet after internet connection
lost/recovery<br><br><br>- CentOS 6.3 (kernel: 2.6.32-279.19.1.el6.x86_64) / Openswan 2.6.32-19.el6_3.x86_64<br><br>- current configuration on left_ipsec_gateway(A)<br>conn A-to-B<br>Â Â Â Â Â Â Â left=left_static_public_IP<br>
       leftsubnet=<a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a><br>
       leftsourceip=10.238.20.16<br>       leftid=@left_fqdn<br>       leftrsasigkey=...<br><br>       right=right_static_public_IP<br>       rightsubnet=<a href="http://192.168.0.0/23" target="_blank">192.168.0.0/23</a><br>
       rightid=@right_fqdn<br>
       rightrsasigkey=...<br><br>       authby=rsasig<br>       ike=aes256-sha1;modp2048<br>       ikelifetime=28800s<br>       #ikev2=propose<br>       phase2alg=aes256-sha1;modp2048<br>       salifetime=3600s<br>
<br>Â Â Â Â Â Â Â dpdaction=restart_by_peer<br>Â Â Â Â Â Â Â dpddelay=30<br>Â Â Â Â Â Â Â dpdtimeout=120<br><br>Â Â Â Â Â Â Â auto=start<br><br>- current configuration on right_ipsec_gateway(B)<br>conn A-to-B<br>Â Â Â Â Â Â Â left=left_static_public_IP<br>
       leftsubnet=<a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a><br>       leftsourceip=10.238.20.16<br>       leftid=@left_fqdn<br>       leftrsasigkey=...<br><br>       right=right_static_public_IP<br>
       rightsubnet=<a href="http://192.168.0.0/23" target="_blank">192.168.0.0/23</a><br>
       rightid=@right_fqdn<br>       rightrsasigkey=...<br><br>       authby=rsasig<br>       ike=aes256-sha1;modp2048<br>       ikelifetime=28800s<br>       #ikev2=propose<br>       phase2alg=aes256-sha1;modp2048<br>
       salifetime=3600s<br><br>       dpdaction=clear<br>       dpddelay=30<br>       dpdtimeout=120<br><br>       auto=start<br><br clear="all">Thanks for your answers<br>-- <br>Karel Ziegler<br><br> e-mail:  <a href="mailto:ziegleka@gmail.com" target="_blank">ziegleka@gmail.com</a><br>