[Openswan Users] keepalives?

Paul Wouters paul at xelerance.com
Wed Feb 9 14:23:22 CET 2005


On Wed, 9 Feb 2005, Tomasz Grzelak wrote:

> When a vpn client (native xp+sp2) is connected to the server (openswan 2.2.0),
> I can see with 'tcpdump' incoming packets. Let's assume a client is behind
> NAT, and he has just established a connection with the server, but he isn't
> doing anything else.
>
> 'tcpdump' is showing short incoming udp[4500] packets once a half a minute
> statistically. I assume these are the keepalive packets.
> Am I right?

I have no idea what they should be. Perhaps a full packet capture would help,
and assuming this is encrypted to the isakmp SA, you'd need to dump it from
openswan with plutodebug=all

> What option in the ipsec.conf file is responsible for how often these
> keepalives are sent?

see dead peer detection, and the options dpd*=

> I wanted to have them every 3 seconds, so I set 'dpddelay' to 3 but there was
> no difference.

That is because XP does not support Dead Peer Detection (RFC3706)

Paul


More information about the Users mailing list