Hi,<br><br>  I want to ask how to correctly set up DPD on both sides - peer to peer connection.<br><br>left_subnet -- left_ipsec_gateway(A) (can be a client - initiator / static public IP) --&gt; internet &lt;-- right_ipsec_gateway(B) (can be a server / static public IP) -- right_subnet<br>

<br>Now all seems to be working correctly but I read that for static peers I shouldn&#39;t use dpdaction=clear. I use dpdaction=clear because I have problems with re-establishing connection between left_subnet and right_subnet after internet connection lost/recovery.<br>

<br>I tried these combinations:<br><br>(A) hold / (B) hold - ISAKMP SA established, IPsec SA established, can&#39;t ping between left_subnet and right_subnet after internet connection lost/recovery, ipsec restart on (B) helped<br>
(A) hold / (B) restart_by_peer - ISAKMP SA established, IPsec SA established, can&#39;t
 ping between left_subnet and right_subnet after internet connection 
lost/recovery, ipsec restart on (B) helped<br>(A) restart_by_peer / (B) hold - ISAKMP SA established, IPsec SA established, can&#39;t
 ping between left_subnet and right_subnet after internet connection 
lost/recovery, ipsec restart on (B) helped<br>(A) restart_by_peer / (B) restart_by_peer - ISAKMP SA established, IPsec SA established, can&#39;t
 ping between left_subnet and right_subnet after internet connection 
lost/recovery, ipsec restart on (B) helped<br>(A) restart_by_peer / (B) restart - ISAKMP SA established, IPsec SA established, can&#39;t
 ping between left_subnet and right_subnet after internet connection 
lost/recovery<br><br>(A) restart_by_peer / (B) clear - ISAKMP SA established, IPsec SA established, can
 ping between left_subnet and right_subnet after internet connection 
lost/recovery<br><br><br>- CentOS 6.3 (kernel: 2.6.32-279.19.1.el6.x86_64) / Openswan 2.6.32-19.el6_3.x86_64<br><br>- current configuration on left_ipsec_gateway(A)<br>conn A-to-B<br>        left=left_static_public_IP<br>
        leftsubnet=<a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a><br>
        leftsourceip=10.238.20.16<br>        leftid=@left_fqdn<br>        leftrsasigkey=...<br><br>        right=right_static_public_IP<br>        rightsubnet=<a href="http://192.168.0.0/23" target="_blank">192.168.0.0/23</a><br>
        rightid=@right_fqdn<br>
        rightrsasigkey=...<br><br>        authby=rsasig<br>        ike=aes256-sha1;modp2048<br>        ikelifetime=28800s<br>        #ikev2=propose<br>        phase2alg=aes256-sha1;modp2048<br>        salifetime=3600s<br>

<br>        dpdaction=restart_by_peer<br>        dpddelay=30<br>        dpdtimeout=120<br><br>        auto=start<br><br>- current configuration on right_ipsec_gateway(B)<br>conn A-to-B<br>        left=left_static_public_IP<br>

        leftsubnet=<a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a><br>        leftsourceip=10.238.20.16<br>        leftid=@left_fqdn<br>        leftrsasigkey=...<br><br>        right=right_static_public_IP<br>
        rightsubnet=<a href="http://192.168.0.0/23" target="_blank">192.168.0.0/23</a><br>
        rightid=@right_fqdn<br>        rightrsasigkey=...<br><br>        authby=rsasig<br>        ike=aes256-sha1;modp2048<br>        ikelifetime=28800s<br>        #ikev2=propose<br>        phase2alg=aes256-sha1;modp2048<br>

        salifetime=3600s<br><br>        dpdaction=clear<br>        dpddelay=30<br>        dpdtimeout=120<br><br>        auto=start<br><br clear="all">Thanks for your answers<br>-- <br>Karel Ziegler<br><br> e-mail:    <a href="mailto:ziegleka@gmail.com" target="_blank">ziegleka@gmail.com</a><br>