[Openswan Users] keepalives?

Andreas Steffen andreas.steffen at strongsec.net
Thu Feb 10 00:03:48 CET 2005


Paul Wouters wrote:
> On Wed, 9 Feb 2005 tgrzelak at wktpolska.com.pl wrote:
> 
>>> I have no idea what they should be. Perhaps a full packet capture would
>>> help, and assuming this is encrypted to the isakmp SA, you'd need to 
>>> dump
>>> it from openswan with plutodebug=all
>>
>>
>> this is what 'tcdump' is telling me:
>> 17:58:51.822273 xx.yy.vv.ww.4500 > aa.bb.cc.dd.4500:  udp 60 (DF)
>> 17:58:52.138716 aa.bb.cc.dd > xx.yy.vv.ww: 
>> ESP(spi=0x11941194,seq=0x440000)
>> 17:59:00.370924 aa.bb.cc.dd.4500 > xx.yy.vv.ww.4500:  udp 1
>> 17:59:20.279912 aa.bb.cc.dd.4500 > xx.yy.vv.ww.4500:  udp 1
> 
> 
> So Andreas taught me something in his last post. Those are indeed 
> keepalives
> from the NAT-T connection to avoid nat routers from forgetting that udp
> negotiated conenction. I didn't know about these :)
> 
>>>> I wanted to have them every 3 seconds, so I set 'dpddelay' to 3 but 
>>>> there
>>>> was no difference.
> 
> 
> So according to Andreas it is keep_alives=3 :)

Typo :-( The correct spelling is

config setup
        nat_traversal=yes
        keep_alive=3

> Though 3 second kep alives seem rather many to me.

Also seems excessively high to me
> 
> Paul

Regards

Andreas

=======================================================================
Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===


More information about the Users mailing list