[Openswan Users] IPSec Connections hanging around after Windows L2TP die or exit

Paul Wouters paul at xelerance.com
Fri Dec 10 10:59:13 CET 2004

On Fri, 10 Dec 2004, Duncan Reed wrote:

> dpdaction is set to clear.
> I was under the impression it put it to hold after the dpddelay was
> reached and it detected a potential dead connection. Then cleared it
> when it hit the dpdaction parameter. Have I misunderstood this?

dpddelay just controls how often we send a DPD probe.
dpdtimeout just controls how long we allow missing DPD probes until we
declare the connection dead.
dpdaction determines the action executed upon reaching dpdtimeout.

if either dpddelay or dpdtimeout is set, but not the other, the other
defaults to 30 seconds for dpddelay and 120 seconds for dpdtimeout.

> Can I manually removed these dead peers that have yet to be cleared
> without tearing down the whole connection? Sometimes I want to remove
> them without waiting for dpdtimeout and without disconnecting the users
> who are currently online.

I am not sure what you mean with 'without tearing down'.
You can do ipsec auto --down connname to terminate all SA's, but keep the
conn loaded.

>> As for the original prolbem, this might be a bug in the windows rekeying
>> method. e're looking into some reports and a proper fix.
> That is what a fair few of the hits I found have suggested I must admit,
> just seemed strange that it seemed to happen more to some windows users
> than others and seemed particularly bad when multiple users were active.

Unfortunately, windows doesn't boot in our test umls yet :)


More information about the Users mailing list