[Openswan Users] Dead Peer Detection

Paul Wouters paul at xelerance.com
Mon Oct 18 18:39:44 CEST 2004


On Mon, 18 Oct 2004, Matthew Claridge wrote:

> Is the DPD support built into Openswan 2.2 universal, i.e. can it 
> successfully detect a dead peer IF that peer isn't running openswan, or does 
> it rely on receiving the correct responses from another openswan 2.2 system?

DPD support has to be announced via the proper vendor-id. Then the other
end can pick it up and use it. Both ends need to announce this seperately,
and both sides can decide independantly whether or not to use DPD.
Currently in openswan we do not announce our capability of DPD if we did not
configure it to use it ourselves, which is technically wrong. We should
always announce it, even it we do not want to do DPD itself, and let the
remote peer make its own decision.

I made that change in HEAD a few weeks ago, but this prompted a discussion
on how to disable this feature per connection, for instance for known broken
remote's that would kill the connection. It also raised the question wether
the dpdaction= and other keywords should actually be changed into a left/right
version of those. We do not yet know which way we want to go.

So I believe if you use HEAD, you get the RFC behaviour, but if you use
anything else, you have to configure DPD yourself so the remote end can see
the DPD announcement and can be configured to use DPD as well.

Paul


More information about the Users mailing list