Support for Dead Peer Detection: A Traffic-Based Method of Detecting Dead IKE Peers The DPD feacture provides support for RFC3706 Dead Peer Detection. DPD works using a keepalive system, where when a tunnel is idle (established, but no traffic has traversed it for N period (dpddelay=N1) one or both sides send a "hello" messages (R_U_THERE) and the other replies with a acknowledge message (R_U_THERE_ACK). If no response received, this continues until the DPD timeout value (dpdtimeout=N2) has elapsed. If there still hasn't been any traffic or R_U_THERE_ACK packets received, the peer is declared to be dead, and the SA deleted, and related eroute removed from the table. DPD support is tuneable on a per connection basis, using the dpdtimeout, dpddelay and dpdaction directives. See also the ipsec.conf man page for more information. An example follows: conn laptop2myhome left=%defaultroute leftnexthop=%defaultroute right=192.168.0.1 dpddelay=30 dpdtimeout=120 dpdaction=clear In the above example, our keepalive time is 30 seconds, our timeout is 120 seconds, and our action is clear. So during idle periods, we send R_U_THERE packets every 30 seconds. If the tunnel is idle and we haven't received an R_U_THERE_ACK from our peer in 120 seconds, we declare the peer dead, and clear the SA + eroute (the entire tunnel is removed). Note that both sides must have either dpddelay or dpdtimeout set for DPD to be proposed or accepted. If one directive is set but not the other, the defaults are used (dpddelay=30, dpdtimeout=120). The dpdaction parameter controls what we do when a peer is determined to be dead. If set to "hold" (the default) it will place the eroute into %hold status, and wait for the peer to return. If set to "clear" it will remove the connection entirely, including both the SA and eroute. We recommend that "hold" be used for statically defined tunnels, and "clear" be used for roadwarrior tunnels. DPD support in Openswan is based on Philip Craig [1]'s work for Snapgear's ucLinux [2] and Srinivasan Venkataraman's [3] implementation, which were ported to Super FreeS/WAN by Pawel Krawczyk, and then hacked on by Pawel, JuanJo Ciarlante and Ken Bantoft. Thanks to Daniel Djamaludin [4] and Srinivasan Venkataraman for their support and advice. This code is currently maintained by Xelerance Corporation. [1] philipc@snapgear.com [2] http://cvs.uclinux.org/cgi-bin/cvsweb/uClinux-dist/freeswan/ [3] http://www.ittc.ku.edu/~sriniven/eecs801/801index.html [4] danield@snapgear.com Inter-operability Test Results: Pass: Super FreeS/WAN 1.99.7 Openswan 1.x Openswan 2.2.x Cisco Systems: VPN 3000 Concentrator Version 3.6.7.C Cisco Systems: IOS 12.2.8T Note: Previous versions had -DAPPLY_CRISCO as a compile time option to deal with Cisco devices that sent invalid cookies. According to the RFC, we SHOULD check them, not MUST. Thus, we have to accept invalid cookies. So now we do, however we still log it. Thanks to Geoffrey Huang <ghuang@cisco.com> for debating this with me.