[Openswan Users] ike and netfilter timeout
Marco Berizzi
pupilla at hotmail.com
Wed Jan 16 03:01:32 EST 2008
Paul Wouters wrote:
> On Tue, 15 Jan 2008, Marco Berizzi wrote:
>
> > I would like to know if there is a way to
> > configure openswan to send some kind of
> > ike keepalive packets, so netfilter will
> > not delete the entries for udp 500 from
> > /proc/net/nf_conntrack.
> > DPD isn't an option because it only send
> > the ike packets if there is not traffic
> > inside the tunnel (no ESP packets).
>
> don't you only care about this behind NAT, so then you are using
> port 4500, which also sees the NAT IKE keepalives if there is
> no traffic?
Hi Paul.
Thinking again about this issue.
How about ikeping? Adding an options to
ipsec.conf, something like ikeping=5min, so
openswan send an ikeping to the left/right
ip address every five minutes. This would
do the trick. Isn't it?
More information about the Users
mailing list