[Openswan dev] DPD issue with multiple tunnels between two peers

Mark-Andre Hopf mhopf at innominate.com
Tue Jul 10 05:31:12 EDT 2007

On Tue 10.07. 08:50, Benny Amorsen wrote:
> >>>>> "MR" == Michael Richardson <mcr at xelerance.com> writes:
> >>>>> "Benny" == Benny Amorsen <benny+usenet at amorsen.dk> writes:
> Benny> Which openswan releases have the restart_by_peer option? It
> Benny> seems to me that restart_by_peer is the right thing to do in
> Benny> all cases, so that dpdaction=restart should go away (or just be
> Benny> translated to restart_by_peer)
> MR>   Restarting is not the right action all the time. Sometimes,
> MR> having the conn disappear is the right action.
> Wouldn't you pick dpdaction=clear or something in those cases? I'm
> only complaining about connections not being restarted when I
> explicitly set dpdaction=restart.

>From RFC 3706:

   After some number of retransmitted messages, an implementation SHOULD
   assume its peer to be unreachable and delete IPSec and IKE SAs to the

Dipl.-Inf. Mark-André Hopf
Senior Software Engineer
Innominate Security Technologies AG
protecting industrial networks
tel: +49.30.6392-3284
fax: +49.30.6392-3307
Albert-Einstein-Str. 14
D-12489 Berlin, Germany

Register Court: AG Charlottenburg, HR B 81603
Management Board: Joachim Fietz, Dirk Seewald
Chairman of the Supervisory Board: Edward M. Stadum

More information about the Dev mailing list