[Openswan Users] keepalives?

tgrzelak at wktpolska.com.pl tgrzelak at wktpolska.com.pl
Wed Feb 9 19:17:44 CET 2005


> I have no idea what they should be. Perhaps a full packet capture would
> help, and assuming this is encrypted to the isakmp SA, you'd need to dump
> it from openswan with plutodebug=all

this is what 'tcdump' is telling me:
17:58:51.822273 xx.yy.vv.ww.4500 > aa.bb.cc.dd.4500:  udp 60 (DF)
17:58:52.138716 aa.bb.cc.dd > xx.yy.vv.ww: ESP(spi=0x11941194,seq=0x440000)
17:59:00.370924 aa.bb.cc.dd.4500 > xx.yy.vv.ww.4500:  udp 1
17:59:20.279912 aa.bb.cc.dd.4500 > xx.yy.vv.ww.4500:  udp 1
17:59:21.120472 xx.yy.vv.ww.4500 > aa.bb.cc.dd.4500:  udp 60 (DF)
17:59:21.346225 aa.bb.cc.dd > xx.yy.vv.ww: ESP(spi=0x11941194,seq=0x3c0000)
17:59:21.822494 xx.yy.vv.ww.4500 > aa.bb.cc.dd.4500:  udp 60 (DF)
17:59:21.856413 aa.bb.cc.dd > xx.yy.vv.ww: ESP(spi=0x11941194,seq=0x440000)
17:59:40.318213 aa.bb.cc.dd.4500 > xx.yy.vv.ww.4500:  udp 1
17:59:51.824255 xx.yy.vv.ww.4500 > aa.bb.cc.dd.4500:  udp 60 (DF)
17:59:52.071058 aa.bb.cc.dd > xx.yy.vv.ww: ESP(spi=0x11941194,seq=0x440000)
18:00:00.297162 aa.bb.cc.dd.4500 > xx.yy.vv.ww.4500:  udp 1
18:00:20.301950 aa.bb.cc.dd.4500 > xx.yy.vv.ww.4500:  udp 1
18:00:21.121224 xx.yy.vv.ww.4500 > aa.bb.cc.dd.4500:  udp 60 (DF)
18:00:21.181729 aa.bb.cc.dd > xx.yy.vv.ww: ESP(spi=0x11941194,seq=0x3c0000)
18:00:21.824378 xx.yy.vv.ww.4500 > aa.bb.cc.dd.4500:  udp 60 (DF)
18:00:22.015683 aa.bb.cc.dd > xx.yy.vv.ww: ESP(spi=0x11941194,seq=0x440000)
18:00:40.313114 aa.bb.cc.dd.4500 > xx.yy.vv.ww.4500:  udp 1
18:00:51.826130 xx.yy.vv.ww.4500 > aa.bb.cc.dd.4500:  udp 60 (DF)
18:00:51.988636 aa.bb.cc.dd > xx.yy.vv.ww: ESP(spi=0x11941194,seq=0x440000)
18:01:00.358342 aa.bb.cc.dd.4500 > xx.yy.vv.ww.4500:  udp 1

>
> > What option in the ipsec.conf file is responsible for how often these
> > keepalives are sent?
>
> see dead peer detection, and the options dpd*=

that's first what I've seen at
And if I understand you well the 'dpd*' are the only options for keepalives, 
right?

> > I wanted to have them every 3 seconds, so I set 'dpddelay' to 3 but there
> > was no difference.
>
> That is because XP does not support Dead Peer Detection (RFC3706)

That explains a lot to me.
So there is no way to make an xp client send more keepalives at the same time 
interval?

TIA,
Tom


More information about the Users mailing list