[Openswan dev] DPD issue with multiple tunnels between two peers

[Michael Richardson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "Benny" == Benny Amorsen <benny+usenet at amorsen.dk> writes:

    Benny> Which openswan releases have the restart_by_peer option? It
    Benny> seems to me that restart_by_peer is the right thing to do in
    Benny> all cases, so that dpdaction=restart should go away (or just
    Benny> be translated to restart_by_peer)

    MR> Restarting is not the right action all the time. Sometimes,
    MR> having the conn disappear is the right action.

    Benny> Wouldn't you pick dpdaction=clear or something in those

  Yes, you would, which is why:
       "restart_by_peer is the right thing to do in all cases"

  is not correct.  The detection of the failure is where all the
phase1/phase2/etc. effort comes in. The decision as to what to do once
there is a failure, is relatively easy.
 
- -- 
]            Bear: "Me, I'm just the shape of a bear."          |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBRpOMkYCLcPvd0N1lAQK+uAgAwSxpQE/a6LWh+NVsIYuWajxtRonDisZ0
YcjkIDXc9Jp1veKHEhb/nbyPdNijGbnx+UBHwDkMzCY9qGR+7+A1CfJ5KbIDlVcK
NAse0o0KU82IjrMkpOmcC/oFDE/3CvZuuhdeka16W6BNdgbiMxdyenA/Y8xV9nyJ
sJ4gV3w8vrr4QF18fMF4MFRyljxMm5k5PMU4aDYlse97Ix+MYWGyA85WpAVu21Ak
+nyDOgxYJy7QdnpHx1llcwzbpaG1vdXet97rC+a9Aer+Ep5j0orwPRkAn/Qmdh1+
hIKEb91hAj1UlHsTRqh7KAZ81Xqt2uZvGeb+A/iPvS8Ld7OFnx7rrg==
=q7bd
-----END PGP SIGNATURE-----