[Openswan Users] How to correctly set up DPD

kAja Ziegler ziegleka at gmail.com
Wed Jan 23 16:40:14 EST 2013 

Hi,

  I want to ask how to correctly set up DPD on both sides - peer to peer
connection.

left_subnet -- left_ipsec_gateway(A) (can be a client - initiator / static
public IP) --> internet <-- right_ipsec_gateway(B) (can be a server /
static public IP) -- right_subnet

Now all seems to be working correctly but I read that for static peers I
shouldn't use dpdaction=clear. I use dpdaction=clear because I have
problems with re-establishing connection between left_subnet and
right_subnet after internet connection lost/recovery.

I tried these combinations:

(A) hold / (B) hold - ISAKMP SA established, IPsec SA established, can't
ping between left_subnet and right_subnet after internet connection
lost/recovery, ipsec restart on (B) helped
(A) hold / (B) restart_by_peer - ISAKMP SA established, IPsec SA
established, can't ping between left_subnet and right_subnet after internet
connection lost/recovery, ipsec restart on (B) helped
(A) restart_by_peer / (B) hold - ISAKMP SA established, IPsec SA
established, can't ping between left_subnet and right_subnet after internet
connection lost/recovery, ipsec restart on (B) helped
(A) restart_by_peer / (B) restart_by_peer - ISAKMP SA established, IPsec SA
established, can't ping between left_subnet and right_subnet after internet
connection lost/recovery, ipsec restart on (B) helped
(A) restart_by_peer / (B) restart - ISAKMP SA established, IPsec SA
established, can't ping between left_subnet and right_subnet after internet
connection lost/recovery

(A) restart_by_peer / (B) clear - ISAKMP SA established, IPsec SA
established, can ping between left_subnet and right_subnet after internet
connection lost/recovery


- CentOS 6.3 (kernel: 2.6.32-279.19.1.el6.x86_64) / Openswan
2.6.32-19.el6_3.x86_64

- current configuration on left_ipsec_gateway(A)
conn A-to-B
        left=left_static_public_IP
        leftsubnet=10.0.0.0/8
        leftsourceip=10.238.20.16
        leftid=@left_fqdn
        leftrsasigkey=...

        right=right_static_public_IP
        rightsubnet=192.168.0.0/23
        rightid=@right_fqdn
        rightrsasigkey=...

        authby=rsasig
        ike=aes256-sha1;modp2048
        ikelifetime=28800s
        #ikev2=propose
        phase2alg=aes256-sha1;modp2048
        salifetime=3600s

        dpdaction=restart_by_peer
        dpddelay=30
        dpdtimeout=120

        auto=start

- current configuration on right_ipsec_gateway(B)
conn A-to-B
        left=left_static_public_IP
        leftsubnet=10.0.0.0/8
        leftsourceip=10.238.20.16
        leftid=@left_fqdn
        leftrsasigkey=...

        right=right_static_public_IP
        rightsubnet=192.168.0.0/23
        rightid=@right_fqdn
        rightrsasigkey=...

        authby=rsasig
        ike=aes256-sha1;modp2048
        ikelifetime=28800s
        #ikev2=propose
        phase2alg=aes256-sha1;modp2048
        salifetime=3600s

        dpdaction=clear
        dpddelay=30
        dpdtimeout=120

        auto=start

Thanks for your answers
-- 
Karel Ziegler

 e-mail:    ziegleka at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130123/6a5e06b9/attachment.html>

More information about the Users mailing list