[Openswan dev] DPD issue with multiple tunnels between two peers
Benny Amorsen
benny+usenet at amorsen.dk
Tue Jul 10 13:58:42 EDT 2007
>>>>> "MR" == Michael Richardson <mcr at sandelman.ottawa.on.ca> writes:
>>>>> "Benny" == Benny Amorsen <benny+usenet at amorsen.dk> writes:
MR>> Restarting is not the right action all the time. Sometimes, having
MR>> the conn disappear is the right action.
Benny> Wouldn't you pick dpdaction=clear or something in those
MR> Yes, you would, which is why: "restart_by_peer is the right
MR> thing to do in all cases"
MR> is not correct.
"all cases" was referring to all the cases I was talking about before,
namely the cases where dpdaction=restart or dpdaction=restart_by_peer.
Which is why I want to get rid of one of them and make the other one
do the right thing.
MR> The detection of the failure is where all the phase1/phase2/etc.
MR> effort comes in. The decision as to what to do once there is a
MR> failure, is relatively easy.
So far openswan seems very good at detecting the failure, at least
with recent 2.4.x versions. It just does the wrong thing with
dpdaction=restart, it restarts one of the tunnels and not the others.
It may be easy to decide what to do, but openswan still gets it wrong.
/Benny
More information about the Dev
mailing list