[Openswan Users] Dead Peer Detection restart causes tunnel to be established, but afterwards cannot ping from either side

Erich Titl erich.titl at think.ch
Mon Oct 10 18:17:11 EDT 2011


on 10.10.2011 14:30, Geekman wrote:
> Hi All,
> Decided to run a ping to the other side of a tunnel for a few hours
> today, because obviously if the tunnels stop working intermittently
> due to this issue, then that's a big step from only happening on
> restart. It seemed highly likely given the presentation of the issue
> I've seen thus far.
> And on it goes like that. This was without any sort of intervention --
> no restarts or anything, obviously this is kind of a deal breaker.
> Unless I was to add a cron job to issue "--replace" on all tunnels
> every 15 minutes... which feels so dirty to me.

It is but at least in my case something outside IPSEC appears to work
better than DPD. Mind you I am running code from the stone age.

I am running a ICMP echo through the tunnel every n seconds. if the echo
fails, I ping every second.
If it fails consecutively for a defined number of retries, I try to
determine if I have access to the default router, if not, I restart the
interface and the next loop starts.
Else I try to restart the tunnel and check again.

This has proven to be quite effective.
Still a good implementation of DPD should perform a lot better than
this, but then....



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2182 bytes
Desc: S/MIME Kryptografische Unterschrift
Url : http://lists.openswan.org/pipermail/users/attachments/20111011/5a2b305e/attachment.bin 

More information about the Users mailing list