[Openswan Users] ipsec/l2tp Windows (yes again)

Trevor Benson tbenson at a-1networks.com
Tue Apr 25 10:11:48 CEST 2006


On Tuesday, April 25, 2006 Jacco de Leeuw wrote:

> leftsubnet, auto=start and keyingtries=0 are not good defaults for
> L2TP/IPsec connections. Leftsubnet is not required (the L2TP part
> provides the access to the internal subnet) and you should use
> auto=add and keyingtries=<nonzero>.

> dpddelay, dpdtimeout and dpdaction are fine but Windows/Mac clients
> ignore them because they currently do not support DPD. (Perhaps
> they use PPP LCP Echo for detecting dead peers, I don't know).

The individual l2tp I was testing had auto= set to add to override the
default.I am breaking up default to put portions into site-to-site and
roadwarrior 'templates' now, and will use 'also=' statements in each
actual connection to keep the left subnet separated.

Would having a dpd action set to clear like you would for normal ipsec
clients cause the l2tp based client to disconnect?  Like an idle client
for a standard 120 seconds timeout with zero traffic the gateway would
intentionally clear the connection?  Never really thought about it until
you just reiterated how MS clients react with DPD.

Trevor


More information about the Users mailing list