[Swan-dev] Fwd: dpddelay and dpdtimeout processing
Oleg Rosowiecki
orosowiecki at gmail.com
Fri Feb 17 12:36:08 UTC 2017
The auto= setting indeed implies what the desired dpdaction would be, but...
What about a more elaborate scenario when you need to have a connection
ready, but not start it right away (e.g. when you need to flip tunnels on
the fly)? My first thought would be to configure the initiator using
auto=add + dpdaction=restart. This is what I actually do during my tests
that involve embedded equipment, where Libreswan is only part of the whole
infrastructure.
If course, we could explicitly --add/--delete/--replace connections in this
case...
Oleg
On Thu, Feb 16, 2017 at 7:41 PM, Paul Wouters <paul at nohats.ca> wrote:
> On Thu, 16 Feb 2017, Tuomo Soini wrote:
>
> if auto=start you want dpd to restart tunnel
>> if auto=route|ondemand you want dpd to hold tunnel
>> if auto=add you want dpd to clear tunnel
>>
>> If you have other requirement than this I'd like to hear about that.
>> With explanation.
>>
>> So removing whole dpdaction= would be correct thing to do
>>
>
> I had forgotten about that discussion. Tuomo is right. The configuration
> makes it obvious what action we would want to do - if we enabled DPD.
>
> but still, if we now set defaults for dpdtimeout and dpddelay we enable
>> dpd for all vpn tunnels which might not be wanted effect. That would
>> also happen if we add dpd/liveness=on|off switch.
>>
>> So any real fix requires breaking some configuration either by enabling
>> liveness checks or disabling them.
>>
>
> We could introduce dpd/liveness=on|off, default to off but if we see
> delay+timeout we set it to on and log a warning. In a few years, we could
> remove this implicit "on switch". And when the on/off switch is used, we
> do populate with the default values for delay/timeout.
>
> Only choise which doesn't break anything is not to set default values
>> and require dpdtimeout and dpddelay to be set to enable dpd/liveness
>> checks to happen.
>>
>
> But it does not fix things either :)
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20170217/ef7d4dc3/attachment.html>
More information about the Swan-dev
mailing list