[Openswan Users] Left side does not detect disconnection
Tuomo Soini
tis at foobar.fi
Mon Nov 21 14:28:36 EST 2011
On Mon, 21 Nov 2011 15:27:09 +0100
Erich Titl <erich.titl at think.ch> wrote:
> > If I understand it correctly, IPSec doesn't have a mechanism to
> > detect disconnections (probably because IP is connectionless to
> > begin with, so the concept of "disconnection" is a poor fit). There
> > are several other mechanisms.
That is completely untrue. IPsec has delete SA notifications to tell
other end about disconneting. Other way to notice disconnect is Dead
Peer detection which is supported in openswan too. Dead peer detection
can be configured to restat tunnel or hold tunnel or clear tunnel,
depending on needs.
> responder side
>
> ipsec auto --replace <connection_name>
dpdaction=clear does the same thing without dropping all instances of
same conn.
>
> initiator side
>
> ipsec auto --replace <connnection_name>
> ipsec auto --up <connection_name>
dpdaction=restart_by_peer will restart connection in case of disconnect
automatically.
--
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
More information about the Users
mailing list