[Openswan dev] passive side of DPD
mcr at xelerance.com
Wed Jul 6 22:55:42 CEST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Let's say that we have two nodes, west and east.
They have dpd enabled.
For some reason, communication from east->west fails.
This means that DPD is going to fail.
(In our dpd-06 test case, we force this by doing:
: Create the block
iptables -I INPUT -s 126.96.36.199/32 -d 0/0 -j DROP
Issue: when the state is deleted on east, a delete message is sent out.
Since west->east communication is still permitted, the delete message
goes out. No problem on west.
On east, we get the delete, and we remove the state.
east will then remove the state, and with it, the knowledge that it was
doing dpd, and that it should perhaps do action=restart.
The result is that the state is removed, we go back to %trap, and the
conn is not restarted. When traffic shows up, we would restart.
While this is surprising, I don't see any other way to rationally deal
with this -- from east's point of view, the conn has simply been
(dpd-06 is being adjusted to block both incoming and outgoing traffic)
] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [
] mcr @ xelerance.com Now doing IPsec training, see |net architect[
] http://www.sandelman.ca/mcr/ www.xelerance.com/training/ |device driver[
] I'm a dad: http://www.sandelman.ca/lrmr/ [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
-----END PGP SIGNATURE-----
More information about the Dev