[Openswan Users] Phase 1 Rekeying after Phase 1 SA expires, dpdaction = restart/restart_by_peer

Elison Niven elison.niven at elitecore.com
Thu Aug 16 07:25:02 EDT 2012


Hello,

This is just a little experience with dpdaction=restart and 
dpdaction=restart_by_peer. It may help someone.

The issue I faced was that after Phase 1 expired, Rekeying did not take 
place.
I wanted to achieve that even after Phase 1 expiry, Pluto should keep 
trying to initiate main mode.
I thought this is possible with dpdaction=restart and keyingtries=%forever.
But after the Phase 1 expired, Rekeying did not happen.

Network scenario:
Machine 1 (initiator) -- IPSEC --> Network Switch -- IPSEC --> Machine 2

Expectation:
Network switch is turned off.
When Network switch is turned on again (say after 12 hours), Machine 1 
should initiate IPSEC connection.

Actual Results:
After "DPD: No response from peer - declaring peer dead"
and "DPD: Restarting Connection"
Machine 1 tries "initiating Main Mode to replace #1"
After "pending Quick Mode with <remote ip> "<connection name>" took too 
long -- replacing phase 1",
The IPSEC and ISAKMP SA's expire :
""<connection name>" #2: IPsec SA expired (LATEST!)"
""<connection name>" #1: ISAKMP SA expired (LATEST!)"
After this, pluto did not try to reinitiate the connection.

Solution:
Use dpdaction=restart_by_peer.
Pluto will keep trying to initiate the connection. When the network 
switch is turned on, the connectioln will be established. Tested with 
openswan 2.6.36 (netkey) on Fedora 16.
Also, bleve says "Always use restart_by_peer. There is NEVER reason to 
use dpdaction=restart"
Thanks !

-- 
Best Regards,
Elison Niven



More information about the Users mailing list