[Openswan Users] RE: DPD

Shi Lang shilang at greenpacket.com
Thu Aug 10 05:45:47 EDT 2006


Hi Paul,
I have a doubt that when dpdaction=clear and reach dpdtimeout, the #19#25
lines will be deleted. Is the whole "Private_test1" will be deleted also
(like ipsec auto --delete Private_test1")?

Thanks.

########################################################################
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,14,36}
trans={0,14,96} attrs={0,14,160}
000
000 "Private_test1":
192.168.6.0/24===10.218.101.150[@b]...10.218.101.151[@a]===192.168.8.0/24;
erouted; eroute owner: #19s
000 "Private_test1":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "Private_test1":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio:
24,24; interface: eth0;
000 "Private_test1":   newest ISAKMP SA: #26; newest IPsec SA: #19;
000 "Private_test1":   IKE algorithms wanted: 5_000-1-5, 5_000-1-2,
5_000-2-5, 5_000-2-2, flags=-strict
000 "Private_test1":   IKE algorithms found:  5_192-1_128-5, 5_192-1_128-2,
5_192-2_160-5, 5_192-2_160-2,
000 "Private_test1":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "Private_test1":   ESP algorithms wanted: 3_000-1, 3_000-2,
flags=-strict
000 "Private_test1":   ESP algorithms loaded: 3_000-1, 3_000-2,
flags=-strict
000 "Private_test1":   ESP algorithm newest: 3DES_0-HMAC_MD5;
pfsgroup=<Phase1>
000
000 #19: "Private_test1" STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 9918s; newest IPSEC; eroute owner
000 #19: "Private_test1" used 1465s ago; esp.d91238e0 at 10.218.101.151
esp.ed3a59ac at 10.218.101.150 comp.6dd8 at 10.218.101.151
comp.ac52 at 10.218.101.150 tun.1008 at 10.218.101.151 tun.1007 at 10.218.101.150
000 #26: "Private_test1" STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
EVENT_SA_REPLACE in 1814s; newest ISAKMP
########################################################################


Regards,
Shi Lang

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Thursday, August 10, 2006 10:23 AM
To: Shi Lang
Cc: users at openswan.org
Subject: RE: DPD

On Thu, 10 Aug 2006, Shi Lang wrote:

> Both sites, I set auto=start, dpdaction I set both = clear or hold before,
> none of them works when I unplug the cable and wait for the timeout 120s,
I
> re-plugin, won't be re-established.
>
> dpdaction=restart I did not try it, you mean for unplug cable case I need
to
> use the restart for dpdaction? In which situation restart is needed to be
> used? Thanks

>From the man page:

       dpdaction     When a DPD enabled peer is  declared  dead,  what
action
                     should be taken.  hold (default) means the eroute will
be
                     put into %hold status, while clear means the  eroute
and
                     SA  with  both be cleared. dpdaction=clear is really
only
                     usefull on the server of a Road Warrior config.

And the man page is missing dpdaction=restart, which means to try and bring
the connection up again. hold is used to passively prevent packets from
being
sent to the now broken tunnel. clear is used for roadwarriors, and basically
"forgets" all the information about the IP address that had the tunnel that
died.

> I found a typo mistake in README.DPD file (openswan-2.4.6): (
> The original:

> There are two dpdaction there, should be dydaction, dpddelay and
dpdtimeout.

Fixed.

Paul



More information about the Users mailing list