[Openswan Users] Phase 1 Rekeying after Phase 1 SA expires, dpdaction = restart/restart_by_peer
elison.niven at elitecore.com
Thu Aug 16 07:25:02 EDT 2012
This is just a little experience with dpdaction=restart and
dpdaction=restart_by_peer. It may help someone.
The issue I faced was that after Phase 1 expired, Rekeying did not take
I wanted to achieve that even after Phase 1 expiry, Pluto should keep
trying to initiate main mode.
I thought this is possible with dpdaction=restart and keyingtries=%forever.
But after the Phase 1 expired, Rekeying did not happen.
Machine 1 (initiator) -- IPSEC --> Network Switch -- IPSEC --> Machine 2
Network switch is turned off.
When Network switch is turned on again (say after 12 hours), Machine 1
should initiate IPSEC connection.
After "DPD: No response from peer - declaring peer dead"
and "DPD: Restarting Connection"
Machine 1 tries "initiating Main Mode to replace #1"
After "pending Quick Mode with <remote ip> "<connection name>" took too
long -- replacing phase 1",
The IPSEC and ISAKMP SA's expire :
""<connection name>" #2: IPsec SA expired (LATEST!)"
""<connection name>" #1: ISAKMP SA expired (LATEST!)"
After this, pluto did not try to reinitiate the connection.
Pluto will keep trying to initiate the connection. When the network
switch is turned on, the connectioln will be established. Tested with
openswan 2.6.36 (netkey) on Fedora 16.
Also, bleve says "Always use restart_by_peer. There is NEVER reason to
More information about the Users