[Openswan Users] DPD

Shi Lang shilang at greenpacket.com
Mon Jun 12 20:06:02 CEST 2006


Hi, John

Based on my knowledge, for both sites, if only one site enables the dpd, it
will not send 'R_U_THERE' message. This message will be sent out when both
enables the dpd option.


Regards,
 
Shi Lang
-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Snitgen, John
Sent: Thursday, June 08, 2006 10:56 PM
To: Brian Candler
Cc: Openswan Users List (E-mail)
Subject: [Openswan Users] DPD

Thanks for the info!
I have a couple more questions just to clarify, 
If I want to use on-demand mode on the Cisco, do I need to have DPD enabled
at all in my ipsec.conf on the Openswan side, or just configured on the
Cisco side?  I am guessing that if configured this way (no DPD parameters in
my ipsec.conf, Cisco configured for on-demand DPD), then only the Cisco will
be able to detect dead sessions, and then only when data is sent from that
end of the connection, is this correct?

TIA!

John

-----Original Message-----
From: Brian Candler [mailto:B.Candler at pobox.com]
Sent: Thursday, June 08, 2006 9:33 AM
To: Snitgen, John
Cc: Openswan Users List (E-mail)
Subject:Re: [Openswan Users] DPD


On Wed, Jun 07, 2006 at 01:35:18PM -0400, Snitgen, John wrote:
> I read the DPD readme on the Openswan site and did not find the info that
> I am looking for, so here goes:
> 
> I am trying to use DPD on my Openswan to Cisco IPSec VPN.  The Cisco that
> I am connecting to is configured for 'on-demand' DPD - Is Openswan DPD
> capable of doing 'on-demand' mode, or just 'periodic' mode?

I can't answer the openswan side, but I can tell you a bit more about what
this means in practice on a Cisco (as I've examined it with tcpdump).

Firstly, DPD only takes effect if the router has not seen any inbound data
from the remote side for a little while. If the two sides are happily
exchanging ESP packets, no DPD R-U-THERE messages are sent at all, in either
on-demand or periodic mode.

If no incoming packets have been received for a while, then it behaves as
follows:

- with "periodic" mode, a DPD R-U-THERE is sent at intervals
- with "on-demand" mode, a DPD R-U-THERE is only sent if there is outbound
  traffic queued to be sent

If after a few retries no DPD R-U-THERE-ACK is received in response, then
the tunnel is torn down and re-established.

Now, regarding on-demand versus periodic: AFAICT there is no need for both
sides to be configured identically.

On a road-warrior client it makes sense to use "periodic" mode. This is
because if there is traffic from the central site to the road-warrior, but
the road-warrior's IP address has changed, the central site cannot rebuilt
the tunnel. Therefore it's up to the client to keep the tunnel up and
re-establish it if necessary. However on the concentrator side you might as
well use on-demand, or no DPD at all.

For site-to-site tunnels, it doesn't really make much difference. If there's
no real tunnel traffic to be sent, then you don't need to send periodic
keepalives, so you might as well use on-demand.

HTH,

Brian.
 
 
This e-mail message is for the sole use of the intended recipient(s) and may

contain confidential and privileged information of Transaction
NetworkServices.  
Any unauthorized review, use, disclosure or distribution isprohibited.  If
you 
are not the intended recipient, please contact thesender by reply e-mail and

destroy all copies of the original message.
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n(3155



More information about the Users mailing list