[Openswan dev] Yet another DPD issue

Mark-Andre Hopf mhopf at innominate.com
Mon Jul 16 12:00:18 EDT 2007

On Mon 16.07. 11:41, Michael Richardson wrote:

> >>>>> "Mark-Andre" == Mark-Andre Hopf <mhopf at innominate.com> writes:
>     Mark-Andre> o The EVENT_SA_REPLACE event with 54s is the IPsec
>     Mark-Andre> SA. When there are only 5s left, powercycle the
>     Mark-Andre> Responder at once. (Assuming that it takes more than 5s
>     Mark-Andre> for Pluto to be ready again ;) .)
>   Yup. That's because the DPD was associated with the phase 2, and can
> not be started until such time as the phase 1 has completed.
> http://git.openswan.org/cgi-bin/gitweb.cgi?p=openswan.git;a=commit;h=c75967b03b2c478a612aef4ccb7e5dff6e4bdaf5

The git repository is Openswan 3.0.0 only, right?

The commit message reads

  the dpdaction=restart still did not work right --- this fixes it so that it
  schedules a replacement of the phase1 SA, and all phase 2 SAs that might
  depend upon it.  Some refactoring was done to state.c code.

which seems to relate to the issue when we have more than one connection
to the same peer. Did you paste the correct link?

(And does that mean that 'DPD issue with multiple tunnels between two peers'
is fixed in Openswan 3.0.0. What about the stable branch? There was no
response on the list.)

Anyway, would you agree that binding DPD to the IPsec SA during quick mode
is the wrong approach and that doing it during main/aggressive mode would
be the right thing to do?


mark-andre.hopf at innominate.com
senior software engineer           innominate security technologies AG
development                             protecting industrial networks
tel: +49.30.6392-3284  fax: -3307                http://innominate.com
Take care of the luxuries and the necessities will take care of themselves.
		-- Lazarus Long

More information about the Dev mailing list