[Openswan Users] understanding dpdtimeout
omoris at redhat.com
Tue Oct 18 17:53:08 EDT 2011
Hi Willie, thanks a lot for your reply,
On 10/18/2011 03:48 PM, Willie Gillespie wrote:
> On 10/17/2011 05:30 PM, Ondrej Moriš wrote:
>> Hi list, what is the exact purpose of dpdtimeout option in ipsec.conf?
>> Is it possible to configure conn in ipsec.conf so that once there is no
>> traffic, conn-related SA will be removed? AFAIK this should be done via
>> these dpdtimeout& dpdaction options, but it is not working for me -
>> even though there is no traffic between nodes, SA are not deleted. What
>> is wrong here?
> I believe DPD is used only to clear connections if the other side does
> not respond.
Yes, you're right. But what will happen if I remove SA record on the
first node? Is this first node now a dead peer for the second one even
though there is no traffic between them? Is there any periodic SA
checking between nodes done so that openswan recognize dead peers?
What I want to achieve is that (manual) removing SA on the first node
will lead to (automatic) removing of SA on the second node.
> I think I know what you are after, since I have some Cisco hardware
> that will do that. (Create a IPsec connection if there is traffic
> that matches a rule, but after a timeout with no traffic will clear
> the connection.)
It would be great to have such feature directly in openswan :).
> I glanced through the man pages, but I don't know if Openswan has an
> on-demand type of initialization like that though. However, anyone
> can feel free to correct me if I'm incorrect here.
Ondrej Moriš, RHCE
Quality Assurance Engineer
BaseOS QE - Security
Email: omoris at redhat.com
IRC: omoris at #qa #urt #brno, #penguins
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
More information about the Users