[Swan-dev] Fwd: dpddelay and dpdtimeout processing
Oleg Rosowiecki
orosowiecki at gmail.com
Thu Feb 16 14:08:33 UTC 2017
Hello everyone,
Libreswan man pages state that dpddelay= has a default value of 30 and
dpdtimeout= defaults to 120 seconds. This is different from the current
behavior, i.e. if you try to leave out either of the settings (or both),
both values are ignored and default to zeroes. Also, dpdaction= is ignored
and defaults to "hold", as a consequence.
Below is the summary of of the tests I made.
Does anyone have any thoughts on how to best fix it?
Oleg
Setting DPD settings in ipsec.conf and starting ipsec:
>
> dpdaction=restart
> #dpdtimeout=30
> #dpddelay=120
>
> results in this message:
>
> Feb 15 17:53:39 ester4 ipsec_starter[10283]: conn: "home-work" warning dpd
> settings are ignored unless both dpdtimeout= and dpddelay=
> are set
>
> Setting:
>
> dpdaction=restart
> dpdtimeout=30
> #dpddelay=120
>
> yields the same result, as well as:
>
> dpdaction=restart
> #dpdtimeout=30
> dpddelay=120
>
> Both dpdtimeout and dpddelay are set to zeroes, and dpdaction is set to
> "hold", as a consequence. In fact, we just skip processing these options if
> either dpddelay or dpdtimeout is not set.
>
> So we definitely need to update the man pages or *maybe* also change this
> logic in starterwhack.c to use at least one of the defaults:
>
> if (conn->options_set[KBF_DPDDELAY] &&
> conn->options_set[KBF_DPDTIMEOUT]) {
> /* Set the options provided by ipsec.conf */
> } else {
> /* Ignore the options and issue a warning message */
> }
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20170216/d72e4274/attachment.html>
More information about the Swan-dev
mailing list