On Wed., Jul 28, 2010, Kevin TOLLISON wrote:
>On Wed., Jul 28, 2010, Michael wrote:
>> My routers have a dynamic DNS - IPSec problem.
>> On the remote (static ) router madrid.mynet.com, I see that the
>> SAD entries are never torn down and the SPD entries contain the
>> old IP address for tokyo.mynet.com.
>> I've already activated dead peer detection (DPD). What else do
>> I need to do to get this working?
>Have you tried setting up a scheduled ping to the other side?
>Pfsense now has an option to do this. I have used this trick
>successfully from a workstation or server for a long time in
No, I was trying to solve the problem without resorting to a hack.
I'll test your guess by letting ICMP traffic flow constantly between
endpoints, but my gut feeling is that it won't solve the problem.
If I understand RFC 3706  correctly, then IKE's dead peer
detection was invented to achieve the results of your ping idea
without generating additional traffic.
Is the m0n0wall implementation of DPD buggy?