[Openswan Users] dpdaction=clean Ineffective.

pompase pompase at pompase.net
Fri Jan 20 08:54:31 CET 2006


Apart from what you wrote Paul, I do not think that dpd will work. As far as 
I remember Windows L2TP there is no dpd support. And in that case no dpd is 
negotiated no matter what you configure at your connection, as it is 
necessary that both sides agree about dpd. 
Forget what I was writing about in case yo use any other L2TP implementation 
that support dpd. 
 
Matthias 
 
On Fri, 20 Jan 2006 05:42:41 +0100 (CET), Paul Wouters wrote 
> On Thu, 19 Jan 2006, Agent Smith wrote: 
>  
> > conn    L2TPM 
> >         type=tunnel 
> >         authby=rsasig 
> >         dpdaction=clear 
> >         left=x.x.x.x 
> >         leftid=@vpn.company.domain 
> >         leftrsasigkey=%cert 
> >         leftcert=servercert10.pem 
> >         leftprotoport=17/1701 
> >         right=%any 
> >         rightsubnet=vhost:%all 
> >         rightprotoport=17/1701 
> >         rightrsasigkey=%cert 
> > 
> > I connect over L2TP fine, everything works but after I 
> > disconnect, I still have the eroute showing up in the 
> > 'ipsec eroute' output. 
> > 
> > shouldn't the dpdaction=clear suppose to delete the 
> > eroute? 
>  
> Yes, if you do not use auto=start. Since you left out the auto= 
> rule, I cannot see that. 
>  
> > where do I configure the dpd timeout? 
>  
> >From the man page: 
>  
>        dpdtimeout    Set the length of time (in seconds) we will  
> idle  without                     hearing  either  an  R_U_THERE  
>  poll from our peer, or an                     R_U_THERE_ACK reply.   
> After this period has elapsed  with                     no  response  
>  and  no  traffic,  we will declare the peer                      
> dead, and remove the SA (default 120 seconds).  If dpdde-             
>          lay is set, but not dpdtimeout, dpdtimeout will be set to    
>                   the default. 
>  
> Yes. You check get some more debugging by using plutodebug=dpd 
>  
> > I tried deleting eroute manually but that looked like 
>  
> You should not do that. 
>  
> Paul 
> _______________________________________________ 
> Users mailing list 
> Users at openswan.org 
> http://lists.openswan.org/mailman/listinfo/users 
 
 
 


More information about the Users mailing list