[Openswan Users] PAYLOAD_MALFORMED

[Paul Wouters]

On Fri, 19 Dec 2008, harald.meyer7 at freenet.de wrote:

> The non restarted end have to be informed that the opposite site
> isn't ready for their old SA packets.
> 
> I suppose you have to activate some sort of DPD detection or to
> lower your SA reassignment periods / timeouts.

DPD only works on phase1, not phase2.
The rebooting end should restart the tunnel and negotiate a new SA.
Then the non-rebooted end will replace its SA with the new one.

Paul