[Openswan Users] OpenSWAN, KLIPS, and dead tunnels
Benny Amorsen
benny+usenet at amorsen.dk
Fri Oct 16 14:14:14 EDT 2009
Paul Wouters <paul at xelerance.com> writes:
> If you have multiple tunnels, it means you have 1 ISAKMP SA, and multiple
> IPsec SA's. The DPD tests the ISAKMP SA. It cannot test the IPsec SA,
> because sending packets on that channel might run into other things, such
> as firewalls/permissions/nothing listening there.
Right, and this makes it fairly useless for actually keeping tunnels up.
If an IPSEC SA disappears, DPD won't help. When actual traffic arrives,
this can get the IPSEC SA up, but this tends to only work when neither
end is a road warrior.
/Benny
More information about the Users
mailing list