[Openswan Users] keepalives?

Paul Wouters paul at xelerance.com
Wed Feb 9 21:51:45 CET 2005

On Wed, 9 Feb 2005 tgrzelak at wktpolska.com.pl wrote:

>> I have no idea what they should be. Perhaps a full packet capture would
>> help, and assuming this is encrypted to the isakmp SA, you'd need to dump
>> it from openswan with plutodebug=all
> this is what 'tcdump' is telling me:
> 17:58:51.822273 xx.yy.vv.ww.4500 > aa.bb.cc.dd.4500:  udp 60 (DF)
> 17:58:52.138716 aa.bb.cc.dd > xx.yy.vv.ww: ESP(spi=0x11941194,seq=0x440000)
> 17:59:00.370924 aa.bb.cc.dd.4500 > xx.yy.vv.ww.4500:  udp 1
> 17:59:20.279912 aa.bb.cc.dd.4500 > xx.yy.vv.ww.4500:  udp 1

So Andreas taught me something in his last post. Those are indeed keepalives
from the NAT-T connection to avoid nat routers from forgetting that udp
negotiated conenction. I didn't know about these :)

>>> I wanted to have them every 3 seconds, so I set 'dpddelay' to 3 but there
>>> was no difference.

So according to Andreas it is keep_alives=3 :)

Though 3 second kep alives seem rather many to me.


"At best it is a theory, at worst a fantasy" -- Michael Crichton

More information about the Users mailing list