[Openswan Users] understanding dpdtimeout
paul at xelerance.com
Tue Oct 18 23:38:48 EDT 2011
On Tue, 18 Oct 2011, Willie Gillespie wrote:
> On 10/17/2011 05:30 PM, Ondrej Moriš wrote:
>> Hi list, what is the exact purpose of dpdtimeout option in ipsec.conf?
>> Is it possible to configure conn in ipsec.conf so that once there is no
>> traffic, conn-related SA will be removed? AFAIK this should be done via
>> these dpdtimeout& dpdaction options, but it is not working for me -
>> even though there is no traffic between nodes, SA are not deleted. What
>> is wrong here?
> I believe DPD is used only to clear connections if the other side does
> not respond.
> I think I know what you are after, since I have some Cisco hardware that
> will do that. (Create a IPsec connection if there is traffic that
> matches a rule, but after a timeout with no traffic will clear the
> I glanced through the man pages, but I don't know if Openswan has an
> on-demand type of initialization like that though. However, anyone can
> feel free to correct me if I'm incorrect here.
auto=route with rekey=no should do that.
More information about the Users