[Openswan Users] DPD

[Brian Candler]

On Wed, Jun 07, 2006 at 01:35:18PM -0400, Snitgen, John wrote:
> I read the DPD readme on the Openswan site and did not find the info that
> I am looking for, so here goes:
> 
> I am trying to use DPD on my Openswan to Cisco IPSec VPN.  The Cisco that
> I am connecting to is configured for 'on-demand' DPD - Is Openswan DPD
> capable of doing 'on-demand' mode, or just 'periodic' mode?

I can't answer the openswan side, but I can tell you a bit more about what
this means in practice on a Cisco (as I've examined it with tcpdump).

Firstly, DPD only takes effect if the router has not seen any inbound data
from the remote side for a little while. If the two sides are happily
exchanging ESP packets, no DPD R-U-THERE messages are sent at all, in either
on-demand or periodic mode.

If no incoming packets have been received for a while, then it behaves as
follows:

- with "periodic" mode, a DPD R-U-THERE is sent at intervals
- with "on-demand" mode, a DPD R-U-THERE is only sent if there is outbound
  traffic queued to be sent

If after a few retries no DPD R-U-THERE-ACK is received in response, then
the tunnel is torn down and re-established.

Now, regarding on-demand versus periodic: AFAICT there is no need for both
sides to be configured identically.

On a road-warrior client it makes sense to use "periodic" mode. This is
because if there is traffic from the central site to the road-warrior, but
the road-warrior's IP address has changed, the central site cannot rebuilt
the tunnel. Therefore it's up to the client to keep the tunnel up and
re-establish it if necessary. However on the concentrator side you might as
well use on-demand, or no DPD at all.

For site-to-site tunnels, it doesn't really make much difference. If there's
no real tunnel traffic to be sent, then you don't need to send periodic
keepalives, so you might as well use on-demand.

HTH,

Brian.