[Openswan Users] understanding dpdtimeout

Ondrej Moriš omoris at redhat.com
Tue Oct 18 17:53:08 EDT 2011

Hi Willie, thanks a lot for your reply,

On 10/18/2011 03:48 PM, Willie Gillespie wrote:
> On 10/17/2011 05:30 PM, Ondrej Moriš wrote:
>> Hi list, what is the exact purpose of dpdtimeout option in ipsec.conf?
>> Is it possible to configure conn in ipsec.conf so that once there is no
>> traffic, conn-related SA will be removed? AFAIK this should be done via
>> these dpdtimeout&  dpdaction options, but it is not working for me -
>> even though there is no traffic between nodes, SA are not deleted. What
>> is wrong here?
> I believe DPD is used only to clear connections if the other side does 
> not respond.
Yes, you're right. But what will happen if I remove SA record on the 
first node? Is this first node now a dead peer for the second one even 
though there is no traffic between them? Is there any periodic SA 
checking between nodes done so that openswan recognize dead peers?

What I want to achieve is that (manual) removing SA on the first node 
will lead to (automatic) removing of SA on the second node.

> I think I know what you are after, since I have some Cisco hardware 
> that will do that.  (Create a IPsec connection if there is traffic 
> that matches a rule, but after a timeout with no traffic will clear 
> the connection.)
It would be great to have such feature directly in openswan :).
> I glanced through the man pages, but I don't know if Openswan has an 
> on-demand type of initialization like that though.  However, anyone 
> can feel free to correct me if I'm incorrect here.
> Willie

Ondrej Moriš, RHCE
Quality Assurance Engineer
BaseOS QE - Security
Email: omoris at redhat.com
Web: www.cz.redhat.com
IRC: omoris at #qa #urt #brno, #penguins
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

More information about the Users mailing list