[strongSwan] Potential bug in DPD implementation?

Mohit Mehta mohit.mehta at vyatta.com
Thu Jul 8 20:20:41 CEST 2010


----- Original Message -----
> Hi Julian,
> 
> the ipsec output on your link doesn't show any active connections
> 
> newest ISAKMP SA: #0; newest IPsec SA: #0;
> 
> but just the connection definition itself. So please don't go
> around shouting that DPD is broken. IP address update via DNS
> lookup is not a built-in feature of the standard pluto daemon.
> Thus either Vyatta added some special functionality or it is
> done via periodically invoking the ipsec update command which
> reloads the configuration.
> 
> Regards
> 
> Andreas
> 
> 

Andreas:

Thanks for that clarification; I would've offered the same explanation but it's always best to get confirmation from the source developers themselves.

Julian:

As for the clear command for an ipsec-peer behaving differently from the DPD clear action; that's because underneath we issue an ipsec update command to update ipsec config without and then with the peer connection. As Andreas mentioned DNS resolving only happens by reloading the ipsec config either through ipsec update or restarting daemon etc.

Cheers,
Mohit 




More information about the Users mailing list