[Openswan dev] Action "restart" for DPD and whack.c

Andrea Dell'Amico adellam at sevenseas.org
Mon Feb 21 21:24:54 CET 2005


On Mon, 2005-02-21 at 14:15 -0500, Michael Richardson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> 
> >>>>> "Andrea" == Andrea Dell'Amico <adellam at sevenseas.org> writes:
>     Andrea> Hello, I was working to backport the "restart" action for
>     Andrea> dead peer detection to 1.0.9 and I think that in 2.3.1dr3 a
>     Andrea> part is missing: action "restart" is never mentioned in
>     Andrea> whack.c.  A patch is in attachment.
> 
>   restart is not yet finished. It exists in dpd.c only.

I didn't try it with that version of openswan.
I'm using it with 1.0.9 and it seems to work, at least in my scenario:
host to gateway configuration, with a hundred of hosts all with nat
traversal and virtual IP. The gateway is a couple of clustered servers
managed via heartbeat; when we switch from one gateway to the other, all
the connections with the nat traversal hosts get stuck until the time
for rekeying expires, while the hosts without nat traversal renegotiate
immediately a new connection
With dpd+restart the nat traversal hosts renegotiate immediately, too.

> - -- 
> ] Michael Richardson          Xelerance Corporation, Ottawa, ON |  firewalls  [
> ] mcr @ xelerance.com           Now doing IPsec training, see   |net architect[
> ] http://www.sandelman.ca/mcr/    www.xelerance.com/training/   |device driver[
> ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

Cheers
andrea

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/dev/attachments/20050221/9ab27c8c/attachment.bin


More information about the Dev mailing list