[Openswan dev] Yet another DPD issue

Mark-Andre Hopf mhopf at innominate.com
Fri Jul 13 05:23:22 EDT 2007

We have a report of a scenario where DPD won't restart a connection when the   
IPsec SA is being replaced while the peer was unavailable.

Here is a possible explanation:

When looking the code of Openswan 2.4.7 I see that DPD is initiated in
quick_inR1_outI2 and quick_inI2 and deleted when the related SA is deleted
or replaced. Which is the IPsec SA.

Now assume that the IPsec SA expires, EVENT_DPD is deleted and at this  
moment the peer is rebooted, which is configured to wait for an incoming

Now one has to wait until the ISAKMP SA keys expire until the IPsec      
connection can be used again.

mark-andre.hopf at innominate.com
senior software engineer           innominate security technologies AG
development                             protecting industrial networks
tel: +49.30.6392-3284  fax: -3307                http://innominate.com
The way some people find fault, you'd think there was some kind of reward.

More information about the Dev mailing list