[Openswan Users] keepalives?
Paul Wouters
paul at xelerance.com
Wed Feb 9 21:51:45 CET 2005
On Wed, 9 Feb 2005 tgrzelak at wktpolska.com.pl wrote:
>> I have no idea what they should be. Perhaps a full packet capture would
>> help, and assuming this is encrypted to the isakmp SA, you'd need to dump
>> it from openswan with plutodebug=all
>
> this is what 'tcdump' is telling me:
> 17:58:51.822273 xx.yy.vv.ww.4500 > aa.bb.cc.dd.4500: udp 60 (DF)
> 17:58:52.138716 aa.bb.cc.dd > xx.yy.vv.ww: ESP(spi=0x11941194,seq=0x440000)
> 17:59:00.370924 aa.bb.cc.dd.4500 > xx.yy.vv.ww.4500: udp 1
> 17:59:20.279912 aa.bb.cc.dd.4500 > xx.yy.vv.ww.4500: udp 1
So Andreas taught me something in his last post. Those are indeed keepalives
from the NAT-T connection to avoid nat routers from forgetting that udp
negotiated conenction. I didn't know about these :)
>>> I wanted to have them every 3 seconds, so I set 'dpddelay' to 3 but there
>>> was no difference.
So according to Andreas it is keep_alives=3 :)
Though 3 second kep alives seem rather many to me.
Paul
--
"At best it is a theory, at worst a fantasy" -- Michael Crichton
More information about the Users
mailing list