[Openswan dev] Yet another DPD issue
Mark-Andre Hopf
mhopf at innominate.com
Mon Jul 16 12:00:18 EDT 2007
On Mon 16.07. 11:41, Michael Richardson wrote:
> >>>>> "Mark-Andre" == Mark-Andre Hopf <mhopf at innominate.com> writes:
> Mark-Andre> o The EVENT_SA_REPLACE event with 54s is the IPsec
> Mark-Andre> SA. When there are only 5s left, powercycle the
> Mark-Andre> Responder at once. (Assuming that it takes more than 5s
> Mark-Andre> for Pluto to be ready again ;) .)
>
> Yup. That's because the DPD was associated with the phase 2, and can
> not be started until such time as the phase 1 has completed.
>
> http://git.openswan.org/cgi-bin/gitweb.cgi?p=openswan.git;a=commit;h=c75967b03b2c478a612aef4ccb7e5dff6e4bdaf5
The git repository is Openswan 3.0.0 only, right?
The commit message reads
the dpdaction=restart still did not work right --- this fixes it so that it
schedules a replacement of the phase1 SA, and all phase 2 SAs that might
depend upon it. Some refactoring was done to state.c code.
which seems to relate to the issue when we have more than one connection
to the same peer. Did you paste the correct link?
(And does that mean that 'DPD issue with multiple tunnels between two peers'
is fixed in Openswan 3.0.0. What about the stable branch? There was no
response on the list.)
Anyway, would you agree that binding DPD to the IPsec SA during quick mode
is the wrong approach and that doing it during main/aggressive mode would
be the right thing to do?
Mark
--
mark-andre.hopf at innominate.com
senior software engineer innominate security technologies AG
development protecting industrial networks
tel: +49.30.6392-3284 fax: -3307 http://innominate.com
Take care of the luxuries and the necessities will take care of themselves.
-- Lazarus Long
More information about the Dev
mailing list