[Openswan Users] DPD
Snitgen, John
John.Snitgen at tnsi.com
Thu Jun 8 11:55:48 CEST 2006
Thanks for the info!
I have a couple more questions just to clarify,
If I want to use on-demand mode on the Cisco, do I need to have DPD enabled at all in my ipsec.conf on the Openswan side, or just configured on the Cisco side? I am guessing that if configured this way (no DPD parameters in my ipsec.conf, Cisco configured for on-demand DPD), then only the Cisco will be able to detect dead sessions, and then only when data is sent from that end of the connection, is this correct?
TIA!
John
-----Original Message-----
From: Brian Candler [mailto:B.Candler at pobox.com]
Sent: Thursday, June 08, 2006 9:33 AM
To: Snitgen, John
Cc: Openswan Users List (E-mail)
Subject:Re: [Openswan Users] DPD
On Wed, Jun 07, 2006 at 01:35:18PM -0400, Snitgen, John wrote:
> I read the DPD readme on the Openswan site and did not find the info that
> I am looking for, so here goes:
>
> I am trying to use DPD on my Openswan to Cisco IPSec VPN. The Cisco that
> I am connecting to is configured for 'on-demand' DPD - Is Openswan DPD
> capable of doing 'on-demand' mode, or just 'periodic' mode?
I can't answer the openswan side, but I can tell you a bit more about what
this means in practice on a Cisco (as I've examined it with tcpdump).
Firstly, DPD only takes effect if the router has not seen any inbound data
from the remote side for a little while. If the two sides are happily
exchanging ESP packets, no DPD R-U-THERE messages are sent at all, in either
on-demand or periodic mode.
If no incoming packets have been received for a while, then it behaves as
follows:
- with "periodic" mode, a DPD R-U-THERE is sent at intervals
- with "on-demand" mode, a DPD R-U-THERE is only sent if there is outbound
traffic queued to be sent
If after a few retries no DPD R-U-THERE-ACK is received in response, then
the tunnel is torn down and re-established.
Now, regarding on-demand versus periodic: AFAICT there is no need for both
sides to be configured identically.
On a road-warrior client it makes sense to use "periodic" mode. This is
because if there is traffic from the central site to the road-warrior, but
the road-warrior's IP address has changed, the central site cannot rebuilt
the tunnel. Therefore it's up to the client to keep the tunnel up and
re-establish it if necessary. However on the concentrator side you might as
well use on-demand, or no DPD at all.
For site-to-site tunnels, it doesn't really make much difference. If there's
no real tunnel traffic to be sent, then you don't need to send periodic
keepalives, so you might as well use on-demand.
HTH,
Brian.
This e-mail message is for the sole use of the intended recipient(s) and may
contain confidential and privileged information of Transaction NetworkServices.
Any unauthorized review, use, disclosure or distribution isprohibited. If you
are not the intended recipient, please contact thesender by reply e-mail and
destroy all copies of the original message.
More information about the Users
mailing list