[Openswan Users] OpenSWAN, KLIPS, and dead tunnels

Paul Wouters paul at xelerance.com
Fri Oct 16 15:53:45 EDT 2009

On Fri, 16 Oct 2009, Benny Amorsen wrote:

>> If you have multiple tunnels, it means you have 1 ISAKMP SA, and multiple
>> IPsec SA's. The DPD tests the ISAKMP SA. It cannot test the IPsec SA,
>> because sending packets on that channel might run into other things, such
>> as firewalls/permissions/nothing listening there.
> Right, and this makes it fairly useless for actually keeping tunnels up.

Not really.

> If an IPSEC SA disappears, DPD won't help.

They don't "disappear". If you still have a working ISAKMP SA, the IPsec SA

- Rekey
- Expire without rekeying
- Rekey on receiving a packet for the tunnel

However, with an ISAKMP Sa still working, the IPsec SA does not "disappear".
If your connectivity disappears, so does the ISAKMP SA.

> When actual traffic arrives,
> this can get the IPSEC SA up, but this tends to only work when neither
> end is a road warrior.

It works if neither or one end is a roadwarrior. If both are a roadwarrior,
you're asking for trouble, and should invest in a static ip for one side,
or deploy a hub-spoke architecture.

Doing your own kind of "pings" to restart a tunnel, especially on roadwarriors
which can easilly saturate their limited uplink is likely to do more harm then


More information about the Users mailing list