[Swan-dev] Fwd: dpddelay and dpdtimeout processing

Paul Wouters paul at nohats.ca
Thu Feb 16 18:41:29 UTC 2017

On Thu, 16 Feb 2017, Tuomo Soini wrote:

> if auto=start you want dpd to restart tunnel
> if auto=route|ondemand you want dpd to hold tunnel
> if auto=add you want dpd to clear tunnel
> If you have other requirement than this I'd like to hear about that.
> With explanation.
> So removing whole dpdaction= would be correct thing to do

I had forgotten about that discussion. Tuomo is right. The configuration
makes it obvious what action we would want to do - if we enabled DPD.

> but still, if we now set defaults for dpdtimeout and dpddelay we enable
> dpd for all vpn tunnels which might not be wanted effect. That would
> also happen if we add dpd/liveness=on|off switch.
> So any real fix requires breaking some configuration either by enabling
> liveness checks or disabling them.

We could introduce dpd/liveness=on|off, default to off but if we see
delay+timeout we set it to on and log a warning. In a few years, we could
remove this implicit "on switch". And when the on/off switch is used, we
do populate with the default values for delay/timeout.

> Only choise which doesn't break anything is not to set default values
> and require dpdtimeout and dpddelay to be set to enable dpd/liveness
> checks to happen.

But it does not fix things either :)


More information about the Swan-dev mailing list