[Openswan Users] IPSec Connections hanging around after Windows L2TP die or exit

Duncan Reed duncan at elminster.com
Fri Dec 10 08:38:17 CET 2004


On Thu, 2004-12-09 at 16:26, Paul Wouters wrote:
> On Thu, 9 Dec 2004, Duncan Reed wrote:
> 
> > Windows IPSec/L2TP clients connect fine, they do some work, they lose
> > there connection while NOT being idle at a (seemly) random period of
> > time (Happened from anywhere between 5 mins to 1hr+).
> >
> > Eventually (I guess) the dead peer connection picks it up and you see it
> > go into %hold. At some point I think after dpdtimeout is reach its
> > cleared.
> >
> > Until it clears the client with that ip address cannot log back into the
> > VPN.
> 
> For roadwarrior connections you should always use dpdaction=clear. After
> all, the roadwarrior can come back from another IP as well.
> Only use dpdaction=hold on static tunnels.
> 

dpdaction is set to clear. 

I was under the impression it put it to hold after the dpddelay was
reached and it detected a potential dead connection. Then cleared it
when it hit the dpdaction parameter. Have I misunderstood this?

Can I manually removed these dead peers that have yet to be cleared
without tearing down the whole connection? Sometimes I want to remove
them without waiting for dpdtimeout and without disconnecting the users
who are currently online.

> As for the original prolbem, this might be a bug in the windows rekeying
> method. e're looking into some reports and a proper fix.

That is what a fair few of the hits I found have suggested I must admit,
just seemed strange that it seemed to happen more to some windows users
than others and seemed particularly bad when multiple users were active.

Thanks,
Duncan


More information about the Users mailing list