[Openswan Users] IPSec Connections hanging around after Windows L2TP die or exit

Duncan Reed duncan at elminster.com
Fri Dec 10 10:25:01 CET 2004


On Fri, 2004-12-10 at 09:59, Paul Wouters wrote:
> On Fri, 10 Dec 2004, Duncan Reed wrote:
> 
> > dpdaction is set to clear.
> >
> > I was under the impression it put it to hold after the dpddelay was
> > reached and it detected a potential dead connection. Then cleared it
> > when it hit the dpdaction parameter. Have I misunderstood this?
> 
> dpddelay just controls how often we send a DPD probe.
> dpdtimeout just controls how long we allow missing DPD probes until we
> declare the connection dead.
> dpdaction determines the action executed upon reaching dpdtimeout.
> 
> if either dpddelay or dpdtimeout is set, but not the other, the other
> defaults to 30 seconds for dpddelay and 120 seconds for dpdtimeout.
> 
Ah I did misunderstand as I thought it was minutes. If its seconds then
the dead peer connection does not pick it up. I have (and have tried
several variations of):

dpddelay=15
dpdtimeout=30
dpdaction=clear


> > Can I manually removed these dead peers that have yet to be cleared
> > without tearing down the whole connection? Sometimes I want to remove
> > them without waiting for dpdtimeout and without disconnecting the users
> > who are currently online.
> 
> I am not sure what you mean with 'without tearing down'.
> You can do ipsec auto --down connname to terminate all SA's, but keep the
> conn loaded.
> 

Without down'ing the whole connection. i.e if I have many roadwarriors
using the same connection I just need to remove that one dead
connection.

Duncan


More information about the Users mailing list