[Openswan Users] DPD and timeout problems

[Agent Smith]

I am trying to use DPD to fail over a failed VPN
tunnel. The remote site runs Juniper hardware and
local site has two openswan boxes with OSPF in between
them. The remote site also has two different ISPs that
tunnel into each of the Openswan boxex. I verified
that when the tunnel to OSW1 goes down, the route
changes rightaway (subsecond) on the Juniper box to
the other ISP which is used for OSW2 but it takes a
good min. before connectivity is restored via the fail
over ISP (osw2 on the other side)

The problem is on the OSW side where I have to wait a
good minute (with the config posted below) for the
secondary conenction to come backup. I really can't
reduce rekeymargin to less then 1?. 

Any suggestion to make it go faster? Also how much
overhead is it if I do phaseII negotiations every min?

OSW1 
====
conn PSK-OSW1
        type=tunnel
        authby=secret
        rekey=yes
        rekeymargin=1m
        rekeyfuzz=0%
        ikelifetime=1440s
        keylife=120s
        dpdtimeout=10
        dpddelay=5
        dpdaction=restart
        left=local.osw1.ip
        leftsubnet=0.0.0.0/0
        right=remote.isp1.ip.addr
        rightsubnet=192.168.1.0/24
        auto=start
        keyingtries=1

OSW2
====
conn PSK-OSW2
        type=tunnel
        authby=secret
        rekey=yes
        rekeymargin=1m
        rekeyfuzz=0%
        ikelifetime=1440s
        keylife=120s
        dpdtimeout=10
        dpddelay=5
        dpdaction=restart
        left=osw2.ip
        leftsubnet=0.0.0.0/0
        right=remote.isp2.ip.addr
        rightsubnet=192.168.1.0/24
        auto=start
        keyingtries=1



      ____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs