[Openswan Users] dpdaction restart?
Paul Wouters
paul at xelerance.com
Thu Nov 10 18:09:12 CET 2005
On Thu, 10 Nov 2005, Duncan Reed wrote:
> I was interested in seeing how the new(ish) dpdaction=restart option
> differed from clear and hold. Looking through the ipsec.conf man and
> other docs they don't appear to have been updated yet.
>
> How does restart differ from hold? And in what situations would I use
> restart instead of the other options.
clear: tear down the broken tunnel. Allow cleartext pckets to the destination
hold: tear down the broken tunnel. Disallow cleartext packets, wait for the
remote to re-estbalished a new IPsec SA (responder)
restart: tear down the broken tunnel. Disallow cleartext packets, attempt to
restart the IPsec tunnel (initiator)
clear is mostly used for roadwarriors. You likely won't be talking to that
remote IP again, as the roadwarrior might show up elsewhere.
hold is for a connection, usually with a remote subnet defined, that vanished
but is on dynamic IP. you cannot restart it, but you also want to prevent
sending cleartext packets for the defined remote subnet.
restart is for a connection to a remote static ip, which you can initiate
yourself.
Compare it to rekey=no. If you have right=%any, you need to have rekey=no,
and you cannot use dpdaction=restart. If this was a single roadwarriorn, you
clear, if it was for a subnet, you want to hold it.
Paul
More information about the Users
mailing list