[Swan] Problem with SAupdate when SA does not exist in the kernel
Paul Wouters
paul at nohats.ca
Thu Sep 12 17:28:22 EEST 2013
On Thu, 12 Sep 2013, Philippe Vouters wrote:
> For your knowledge, the IPSec dpdtimeout closest TCP/IP parameter is the
> KEEPALIVE parameter which is both system administrator settable as well as
> software programmable.
>
> Provided the IPSec implementations were based onto TCP instead of UDP, there
> would be no need for such dpd and dpdtimeout parameters.
>
> I checked my existing C codes and I could only code SO_KEEPALIVE as an only
> on or off socket option. As far as it looks, there is no way for a programmer
> to adjust the KEEPALIVE timer from within his code.
>
> A quick check on my Linux shows the KEEPALIVE related timeouts keep only
> settable by a system administrator.
> [philippe at victor ~]$ sysctl -a | grep keepalive
> net.ipv4.tcp_keepalive_intvl = 75
> net.ipv4.tcp_keepalive_probes = 9
> net.ipv4.tcp_keepalive_time = 7200
That would work keeping things open only if you route into oblivion
without getting ICMPs back saying the destination IP is UNREACHABLE.
When your end receives that, it will kill the TCP session anyway.
Paul
More information about the Swan
mailing list