[Openswan dev] Yet another DPD issue
Mark-Andre Hopf
mhopf at innominate.com
Fri Jul 13 05:23:22 EDT 2007
We have a report of a scenario where DPD won't restart a connection when the
IPsec SA is being replaced while the peer was unavailable.
Here is a possible explanation:
When looking the code of Openswan 2.4.7 I see that DPD is initiated in
quick_inR1_outI2 and quick_inI2 and deleted when the related SA is deleted
or replaced. Which is the IPsec SA.
Now assume that the IPsec SA expires, EVENT_DPD is deleted and at this
moment the peer is rebooted, which is configured to wait for an incoming
connection.
Now one has to wait until the ISAKMP SA keys expire until the IPsec
connection can be used again.
--
mark-andre.hopf at innominate.com
senior software engineer innominate security technologies AG
development protecting industrial networks
tel: +49.30.6392-3284 fax: -3307 http://innominate.com
The way some people find fault, you'd think there was some kind of reward.
More information about the Dev
mailing list