[Openswan Users] DPD and timeout problems
Agent Smith
news8080 at yahoo.com
Tue Feb 26 16:11:48 EST 2008
I am trying to use DPD to fail over a failed VPN
tunnel. The remote site runs Juniper hardware and
local site has two openswan boxes with OSPF in between
them. The remote site also has two different ISPs that
tunnel into each of the Openswan boxex. I verified
that when the tunnel to OSW1 goes down, the route
changes rightaway (subsecond) on the Juniper box to
the other ISP which is used for OSW2 but it takes a
good min. before connectivity is restored via the fail
over ISP (osw2 on the other side)
The problem is on the OSW side where I have to wait a
good minute (with the config posted below) for the
secondary conenction to come backup. I really can't
reduce rekeymargin to less then 1?.
Any suggestion to make it go faster? Also how much
overhead is it if I do phaseII negotiations every min?
OSW1
====
conn PSK-OSW1
type=tunnel
authby=secret
rekey=yes
rekeymargin=1m
rekeyfuzz=0%
ikelifetime=1440s
keylife=120s
dpdtimeout=10
dpddelay=5
dpdaction=restart
left=local.osw1.ip
leftsubnet=0.0.0.0/0
right=remote.isp1.ip.addr
rightsubnet=192.168.1.0/24
auto=start
keyingtries=1
OSW2
====
conn PSK-OSW2
type=tunnel
authby=secret
rekey=yes
rekeymargin=1m
rekeyfuzz=0%
ikelifetime=1440s
keylife=120s
dpdtimeout=10
dpddelay=5
dpdaction=restart
left=osw2.ip
leftsubnet=0.0.0.0/0
right=remote.isp2.ip.addr
rightsubnet=192.168.1.0/24
auto=start
keyingtries=1
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
More information about the Users
mailing list