[Openswan Users] dpdaction=clean Ineffective.

Peter McGill petermcgill at goco.net
Fri Jan 20 09:52:46 CET 2006

Agent Smith:
>conn    L2TPM
>        type=tunnel
>        authby=rsasig
>        dpdaction=clear
>        left=x.x.x.x
>        leftid=@vpn.company.domain
>        leftrsasigkey=%cert
>        leftcert=servercert10.pem
>        leftprotoport=17/1701
>        right=%any
>        rightsubnet=vhost:%all
>        rightprotoport=17/1701
>        rightrsasigkey=%cert
> shouldn't the dpdaction=clear suppose to delete the
> eroute? where do I configure the dpd timeout?

>From doc/README.DPD:
"Note that both sides must have either dpddelay or dpdtimeout set for DPD
to be proposed or accepted.  If one directive is set but not the other,
the defaults are used (dpddelay=30, dpdtimeout=120)."

I don't see you using dpddelay or dpdtimeout in your conf, and according
to the doc's dpd isn't used unless you set one or both of them.

Check your logs for a line like:
Jan 16 14:00:27 sheridan pluto[1661]: 
"sunoco-172-26-net-to-london-office-net" #
89: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x00227f92 
xfrm=3DES_0-HMAC_MD5 NATD=none DPD=enabled}

If dpd is on you should see the DPD=enabled at the end of the line.

Peter McGill
Software Developer / Network Administrator
Gra Ham Energy Limited 

More information about the Users mailing list