[Openswan Users] OpenSWAN, KLIPS, and dead tunnels

Paul Wouters paul at xelerance.com
Fri Oct 16 09:47:47 EDT 2009


On Thu, 8 Oct 2009, Benny Amorsen wrote:

>> Actually, DPD is intended to be *the* reliable mechanism to detect IPSec
>> outages...correct?
>
> Has it ever started working correctly for multiple tunnels between the
> same gateways? In the past it would only trigger if connectivity is lost
> completely between the two gateways, not if just one tunnel was down. I
> believed that was by design.

Define "tunnel down" ?

If you have multiple tunnels, it means you have 1 ISAKMP SA, and multiple
IPsec SA's. The DPD tests the ISAKMP SA. It cannot test the IPsec SA,
because sending packets on that channel might run into other things, such
as firewalls/permissions/nothing listening there.

Paul


More information about the Users mailing list