[Openswan Users] understanding dpdtimeout

Paul Wouters paul at xelerance.com
Tue Oct 18 23:38:48 EDT 2011

On Tue, 18 Oct 2011, Willie Gillespie wrote:

> On 10/17/2011 05:30 PM, Ondrej Moriš wrote:
>> Hi list, what is the exact purpose of dpdtimeout option in ipsec.conf?
>> Is it possible to configure conn in ipsec.conf so that once there is no
>> traffic, conn-related SA will be removed? AFAIK this should be done via
>> these dpdtimeout&  dpdaction options, but it is not working for me -
>> even though there is no traffic between nodes, SA are not deleted. What
>> is wrong here?
> I believe DPD is used only to clear connections if the other side does
> not respond.
> I think I know what you are after, since I have some Cisco hardware that
> will do that.  (Create a IPsec connection if there is traffic that
> matches a rule, but after a timeout with no traffic will clear the
> connection.)
> I glanced through the man pages, but I don't know if Openswan has an
> on-demand type of initialization like that though.  However, anyone can
> feel free to correct me if I'm incorrect here.

auto=route with rekey=no should do that.


More information about the Users mailing list