[Openswan Users] IPSec Connections hanging around after
Windows L2TP die or exit
Duncan Reed
duncan at elminster.com
Fri Dec 10 10:25:01 CET 2004
On Fri, 2004-12-10 at 09:59, Paul Wouters wrote:
> On Fri, 10 Dec 2004, Duncan Reed wrote:
>
> > dpdaction is set to clear.
> >
> > I was under the impression it put it to hold after the dpddelay was
> > reached and it detected a potential dead connection. Then cleared it
> > when it hit the dpdaction parameter. Have I misunderstood this?
>
> dpddelay just controls how often we send a DPD probe.
> dpdtimeout just controls how long we allow missing DPD probes until we
> declare the connection dead.
> dpdaction determines the action executed upon reaching dpdtimeout.
>
> if either dpddelay or dpdtimeout is set, but not the other, the other
> defaults to 30 seconds for dpddelay and 120 seconds for dpdtimeout.
>
Ah I did misunderstand as I thought it was minutes. If its seconds then
the dead peer connection does not pick it up. I have (and have tried
several variations of):
dpddelay=15
dpdtimeout=30
dpdaction=clear
> > Can I manually removed these dead peers that have yet to be cleared
> > without tearing down the whole connection? Sometimes I want to remove
> > them without waiting for dpdtimeout and without disconnecting the users
> > who are currently online.
>
> I am not sure what you mean with 'without tearing down'.
> You can do ipsec auto --down connname to terminate all SA's, but keep the
> conn loaded.
>
Without down'ing the whole connection. i.e if I have many roadwarriors
using the same connection I just need to remove that one dead
connection.
Duncan
More information about the Users
mailing list