Hi,<br><br> I want to ask how to correctly set up DPD on both sides - peer to peer connection.<br><br>left_subnet -- left_ipsec_gateway(A) (can be a client - initiator / static public IP) --> internet <-- right_ipsec_gateway(B) (can be a server / static public IP) -- right_subnet<br>
<br>Now all seems to be working correctly but I read that for static peers I shouldn't use dpdaction=clear. I use dpdaction=clear because I have problems with re-establishing connection between left_subnet and right_subnet after internet connection lost/recovery.<br>
<br>I tried these combinations:<br><br>(A) hold / (B) hold - ISAKMP SA established, IPsec SA established, can't ping between left_subnet and right_subnet after internet connection lost/recovery, ipsec restart on (B) helped<br>
(A) hold / (B) restart_by_peer - ISAKMP SA established, IPsec SA established, can't
ping between left_subnet and right_subnet after internet connection
lost/recovery, ipsec restart on (B) helped<br>(A) restart_by_peer / (B) hold - ISAKMP SA established, IPsec SA established, can't
ping between left_subnet and right_subnet after internet connection
lost/recovery, ipsec restart on (B) helped<br>(A) restart_by_peer / (B) restart_by_peer - ISAKMP SA established, IPsec SA established, can't
ping between left_subnet and right_subnet after internet connection
lost/recovery, ipsec restart on (B) helped<br>(A) restart_by_peer / (B) restart - ISAKMP SA established, IPsec SA established, can't
ping between left_subnet and right_subnet after internet connection
lost/recovery<br><br>(A) restart_by_peer / (B) clear - ISAKMP SA established, IPsec SA established, can
ping between left_subnet and right_subnet after internet connection
lost/recovery<br><br><br>- CentOS 6.3 (kernel: 2.6.32-279.19.1.el6.x86_64) / Openswan 2.6.32-19.el6_3.x86_64<br><br>- current configuration on left_ipsec_gateway(A)<br>conn A-to-B<br> left=left_static_public_IP<br>
leftsubnet=<a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a><br>
leftsourceip=10.238.20.16<br> leftid=@left_fqdn<br> leftrsasigkey=...<br><br> right=right_static_public_IP<br> rightsubnet=<a href="http://192.168.0.0/23" target="_blank">192.168.0.0/23</a><br>
rightid=@right_fqdn<br>
rightrsasigkey=...<br><br> authby=rsasig<br> ike=aes256-sha1;modp2048<br> ikelifetime=28800s<br> #ikev2=propose<br> phase2alg=aes256-sha1;modp2048<br> salifetime=3600s<br>
<br> dpdaction=restart_by_peer<br> dpddelay=30<br> dpdtimeout=120<br><br> auto=start<br><br>- current configuration on right_ipsec_gateway(B)<br>conn A-to-B<br> left=left_static_public_IP<br>
leftsubnet=<a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a><br> leftsourceip=10.238.20.16<br> leftid=@left_fqdn<br> leftrsasigkey=...<br><br> right=right_static_public_IP<br>
rightsubnet=<a href="http://192.168.0.0/23" target="_blank">192.168.0.0/23</a><br>
rightid=@right_fqdn<br> rightrsasigkey=...<br><br> authby=rsasig<br> ike=aes256-sha1;modp2048<br> ikelifetime=28800s<br> #ikev2=propose<br> phase2alg=aes256-sha1;modp2048<br>
salifetime=3600s<br><br> dpdaction=clear<br> dpddelay=30<br> dpdtimeout=120<br><br> auto=start<br><br clear="all">Thanks for your answers<br>-- <br>Karel Ziegler<br><br> e-mail: <a href="mailto:ziegleka@gmail.com" target="_blank">ziegleka@gmail.com</a><br>