[Openswan Users] How to correctly set up DPD
kAja Ziegler
ziegleka at gmail.com
Wed Jan 23 16:40:14 EST 2013
Hi,
I want to ask how to correctly set up DPD on both sides - peer to peer
connection.
left_subnet -- left_ipsec_gateway(A) (can be a client - initiator / static
public IP) --> internet <-- right_ipsec_gateway(B) (can be a server /
static public IP) -- right_subnet
Now all seems to be working correctly but I read that for static peers I
shouldn't use dpdaction=clear. I use dpdaction=clear because I have
problems with re-establishing connection between left_subnet and
right_subnet after internet connection lost/recovery.
I tried these combinations:
(A) hold / (B) hold - ISAKMP SA established, IPsec SA established, can't
ping between left_subnet and right_subnet after internet connection
lost/recovery, ipsec restart on (B) helped
(A) hold / (B) restart_by_peer - ISAKMP SA established, IPsec SA
established, can't ping between left_subnet and right_subnet after internet
connection lost/recovery, ipsec restart on (B) helped
(A) restart_by_peer / (B) hold - ISAKMP SA established, IPsec SA
established, can't ping between left_subnet and right_subnet after internet
connection lost/recovery, ipsec restart on (B) helped
(A) restart_by_peer / (B) restart_by_peer - ISAKMP SA established, IPsec SA
established, can't ping between left_subnet and right_subnet after internet
connection lost/recovery, ipsec restart on (B) helped
(A) restart_by_peer / (B) restart - ISAKMP SA established, IPsec SA
established, can't ping between left_subnet and right_subnet after internet
connection lost/recovery
(A) restart_by_peer / (B) clear - ISAKMP SA established, IPsec SA
established, can ping between left_subnet and right_subnet after internet
connection lost/recovery
- CentOS 6.3 (kernel: 2.6.32-279.19.1.el6.x86_64) / Openswan
2.6.32-19.el6_3.x86_64
- current configuration on left_ipsec_gateway(A)
conn A-to-B
left=left_static_public_IP
leftsubnet=10.0.0.0/8
leftsourceip=10.238.20.16
leftid=@left_fqdn
leftrsasigkey=...
right=right_static_public_IP
rightsubnet=192.168.0.0/23
rightid=@right_fqdn
rightrsasigkey=...
authby=rsasig
ike=aes256-sha1;modp2048
ikelifetime=28800s
#ikev2=propose
phase2alg=aes256-sha1;modp2048
salifetime=3600s
dpdaction=restart_by_peer
dpddelay=30
dpdtimeout=120
auto=start
- current configuration on right_ipsec_gateway(B)
conn A-to-B
left=left_static_public_IP
leftsubnet=10.0.0.0/8
leftsourceip=10.238.20.16
leftid=@left_fqdn
leftrsasigkey=...
right=right_static_public_IP
rightsubnet=192.168.0.0/23
rightid=@right_fqdn
rightrsasigkey=...
authby=rsasig
ike=aes256-sha1;modp2048
ikelifetime=28800s
#ikev2=propose
phase2alg=aes256-sha1;modp2048
salifetime=3600s
dpdaction=clear
dpddelay=30
dpdtimeout=120
auto=start
Thanks for your answers
--
Karel Ziegler
e-mail: ziegleka at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130123/6a5e06b9/attachment.html>
More information about the Users
mailing list