[Openswan Users] RE: DPD

Thu Aug 10 05:36:52 EDT 2006

Hi Paul,

Thanks very much for the explanation.

If Site-to-site VPN, one site is behind NAT and if NAT changes the public IP
for that site mapping, or this site is located in the PPPoE dial-up case.
The dpdaction should be which one?

Thanks
Regards,
Shi Lang

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Thursday, August 10, 2006 10:23 AM
To: Shi Lang
Cc: users at openswan.org
Subject: RE: DPD

On Thu, 10 Aug 2006, Shi Lang wrote:

> Both sites, I set auto=start, dpdaction I set both = clear or hold before,
> none of them works when I unplug the cable and wait for the timeout 120s,
I
> re-plugin, won't be re-established.
>
> dpdaction=restart I did not try it, you mean for unplug cable case I need
to
> use the restart for dpdaction? In which situation restart is needed to be
> used? Thanks

>From the man page:

       dpdaction     When a DPD enabled peer is  declared  dead,  what
action
                     should be taken.  hold (default) means the eroute will
be
                     put into %hold status, while clear means the  eroute
and
                     SA  with  both be cleared. dpdaction=clear is really
only
                     usefull on the server of a Road Warrior config.

And the man page is missing dpdaction=restart, which means to try and bring
the connection up again. hold is used to passively prevent packets from
being
sent to the now broken tunnel. clear is used for roadwarriors, and basically
"forgets" all the information about the IP address that had the tunnel that
died.

> I found a typo mistake in README.DPD file (openswan-2.4.6): (
> The original:

> There are two dpdaction there, should be dydaction, dpddelay and
dpdtimeout.

Fixed.

Paul