[Swan-dev] Fwd: dpddelay and dpdtimeout processing

Tuomo Soini tis at foobar.fi
Thu Feb 16 18:18:18 UTC 2017

On Thu, 16 Feb 2017 12:31:15 -0500 (EST)
Paul Wouters <paul at nohats.ca> wrote:

> The question is, can we make that change now without breaking
> backwards compatibility. We might have people who defined dpdtimeout=
> and dpddelay= and using the default action, who would no longer see
> any DPD happening.

Libreswan dpd has always worked that way. dpddelay= and dpdtimeout=
settings enable dpd and dpdaction=hold is the default which doesn't
require being especially set. We have been discussing to remove
whole dpdaction= because we know what user want to happen when dpd is

if auto=start you want dpd to restart tunnel
if auto=route|ondemand you want dpd to hold tunnel
if auto=add you want dpd to clear tunnel

If you have other requirement than this I'd like to hear about that.
With explanation.

So removing whole dpdaction= would be correct thing to do
but still, if we now set defaults for dpdtimeout and dpddelay we enable
dpd for all vpn tunnels which might not be wanted effect. That would
also happen if we add dpd/liveness=on|off switch.

So any real fix requires breaking some configuration either by enabling
liveness checks or disabling them.

Only choise which doesn't break anything is not to set default values
and require dpdtimeout and dpddelay to be set to enable dpd/liveness
checks to happen.

Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>

More information about the Swan-dev mailing list