Project

General

Profile

Bug #11196

IPsec DPD action incorrect on development snapshots

Added by Jim Pingle 5 months ago. Updated 5 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
12/30/2020
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.5.0
Affected Architecture:

Description

The DPD action isn't correct in several cases on snapshots (swanctl format). For example:

  • "none" is not valid, should be "clear"
  • "restart" is currently the default, it should be "trap" for policy-based tunnels and "restart" for VTI
  • It should mirror the equivalent values for Child SA close action when that is set

Associated revisions

Revision d4e1fdea (diff)
Added by Jim Pingle 5 months ago

Correct DPD syntax and values. Fixes #11196

History

#1 Updated by Jim Pingle 5 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#2 Updated by Florin Samareanu 5 months ago

After going with latest dev I don’t see any duplicate p1s or p2s during the last 24h. My tunnels are mostly using default values (I did change reauth to rekey for phase 1) with vti p2s. Thank you for nailing this.
As a side note, it would be great if p2s would expose the same settings as p1s with regards to reauth/rekey/over time but current setup works well for me too.
Before I would end up with tens of duplicate p2s after a few hours.

#3 Updated by Florin Samareanu 5 months ago

This was supposed to be a comment for #10176. Apologies.

#4 Updated by Max Leighton 5 months ago

  • Status changed from Feedback to Resolved

Tested on latest build and now see dpd action set to trap, restart, or clear based on the corresponding Child SA close action. Marking the ticket resolved

Also available in: Atom PDF