[Openswan Users] OpenSWAN, KLIPS, and dead tunnels
Paul Wouters
paul at xelerance.com
Fri Oct 16 15:53:45 EDT 2009
On Fri, 16 Oct 2009, Benny Amorsen wrote:
>> If you have multiple tunnels, it means you have 1 ISAKMP SA, and multiple
>> IPsec SA's. The DPD tests the ISAKMP SA. It cannot test the IPsec SA,
>> because sending packets on that channel might run into other things, such
>> as firewalls/permissions/nothing listening there.
>
> Right, and this makes it fairly useless for actually keeping tunnels up.
Not really.
> If an IPSEC SA disappears, DPD won't help.
They don't "disappear". If you still have a working ISAKMP SA, the IPsec SA
can:
- Rekey
- Expire without rekeying
- Rekey on receiving a packet for the tunnel
However, with an ISAKMP Sa still working, the IPsec SA does not "disappear".
If your connectivity disappears, so does the ISAKMP SA.
> When actual traffic arrives,
> this can get the IPSEC SA up, but this tends to only work when neither
> end is a road warrior.
It works if neither or one end is a roadwarrior. If both are a roadwarrior,
you're asking for trouble, and should invest in a static ip for one side,
or deploy a hub-spoke architecture.
Doing your own kind of "pings" to restart a tunnel, especially on roadwarriors
which can easilly saturate their limited uplink is likely to do more harm then
good.
Paul
More information about the Users
mailing list