Re: [Ipsec-tools-devel] Tunnel is hanging even though DPD gets though then comes back on the same S

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Fri, Jan 12, 2007 at 05:36:09PM +0100, VANHULLEBUS Yvan wrote:
> DPD has *NOTHING* to do with IPSec SAs.
> 
> DPD is designed to only check that remote IKE daemon is still alive
> and still have the same IsakmpSA we use to talk with it.

However, it can use the fact that traffic is flowing through an IPSec SA to
suppress the need for DPD checks. RFC 3706:

"  example, peer A might define its DPD interval to be 10 seconds.
   Then, if peer A sends outbound IPSec traffic, but fails to receive
   any inbound traffic for 10 seconds, it can initiate a DPD exchange."

So I don't think it's entirely accurate to say DPD has *nothing* to do with
IPSec SAs.

OTOH, I don't know whether ipsec-tools' implementation makes use of
inbound/outbound traffic monitoring in this way, or it just does periodic
DPD.

Regards,

Brian.

Re: [Ipsec-tools-devel] Tunnel is hanging even though DPD gets though then comes back on the same S

Re: [Ipsec-tools-devel] Tunnel is hanging even though DPD gets though then comes back on the same SA