[Openswan Users] understanding dpdtimeout

Willie Gillespie wgillespie+openswan at es2eng.com
Tue Oct 18 09:48:44 EDT 2011

On 10/17/2011 05:30 PM, Ondrej Moriš wrote:
> Hi list, what is the exact purpose of dpdtimeout option in ipsec.conf?
> Is it possible to configure conn in ipsec.conf so that once there is no
> traffic, conn-related SA will be removed? AFAIK this should be done via
> these dpdtimeout&  dpdaction options, but it is not working for me -
> even though there is no traffic between nodes, SA are not deleted. What
> is wrong here?

I believe DPD is used only to clear connections if the other side does 
not respond.

I think I know what you are after, since I have some Cisco hardware that 
will do that.  (Create a IPsec connection if there is traffic that 
matches a rule, but after a timeout with no traffic will clear the 

I glanced through the man pages, but I don't know if Openswan has an 
on-demand type of initialization like that though.  However, anyone can 
feel free to correct me if I'm incorrect here.


More information about the Users mailing list