[Openswan Users] keepalives?
Paul Wouters
paul at xelerance.com
Wed Feb 9 14:23:22 CET 2005
On Wed, 9 Feb 2005, Tomasz Grzelak wrote:
> When a vpn client (native xp+sp2) is connected to the server (openswan 2.2.0),
> I can see with 'tcpdump' incoming packets. Let's assume a client is behind
> NAT, and he has just established a connection with the server, but he isn't
> doing anything else.
>
> 'tcpdump' is showing short incoming udp[4500] packets once a half a minute
> statistically. I assume these are the keepalive packets.
> Am I right?
I have no idea what they should be. Perhaps a full packet capture would help,
and assuming this is encrypted to the isakmp SA, you'd need to dump it from
openswan with plutodebug=all
> What option in the ipsec.conf file is responsible for how often these
> keepalives are sent?
see dead peer detection, and the options dpd*=
> I wanted to have them every 3 seconds, so I set 'dpddelay' to 3 but there was
> no difference.
That is because XP does not support Dead Peer Detection (RFC3706)
Paul
More information about the Users
mailing list