[Openswan Users] keepalives?
Andreas Steffen
andreas.steffen at strongsec.net
Thu Feb 10 00:03:48 CET 2005
Paul Wouters wrote:
> On Wed, 9 Feb 2005 tgrzelak at wktpolska.com.pl wrote:
>
>>> I have no idea what they should be. Perhaps a full packet capture would
>>> help, and assuming this is encrypted to the isakmp SA, you'd need to
>>> dump
>>> it from openswan with plutodebug=all
>>
>>
>> this is what 'tcdump' is telling me:
>> 17:58:51.822273 xx.yy.vv.ww.4500 > aa.bb.cc.dd.4500: udp 60 (DF)
>> 17:58:52.138716 aa.bb.cc.dd > xx.yy.vv.ww:
>> ESP(spi=0x11941194,seq=0x440000)
>> 17:59:00.370924 aa.bb.cc.dd.4500 > xx.yy.vv.ww.4500: udp 1
>> 17:59:20.279912 aa.bb.cc.dd.4500 > xx.yy.vv.ww.4500: udp 1
>
>
> So Andreas taught me something in his last post. Those are indeed
> keepalives
> from the NAT-T connection to avoid nat routers from forgetting that udp
> negotiated conenction. I didn't know about these :)
>
>>>> I wanted to have them every 3 seconds, so I set 'dpddelay' to 3 but
>>>> there
>>>> was no difference.
>
>
> So according to Andreas it is keep_alives=3 :)
Typo :-( The correct spelling is
config setup
nat_traversal=yes
keep_alive=3
> Though 3 second kep alives seem rather many to me.
Also seems excessively high to me
>
> Paul
Regards
Andreas
=======================================================================
Andreas Steffen e-mail: andreas.steffen at strongsec.com
strongSec GmbH home: http://www.strongsec.com
Alter Zürichweg 20 phone: +41 1 730 80 64
CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65
==========================================[strong internet security]===
More information about the Users
mailing list