[ previous ] [ next ] [ threads ]
 From:  Heinz Teichmann <heinz dot teichmann at wanews dot com dot au>
 To:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] IPsec Tunnel DPD does not work
 Date:  Tue, 22 Feb 2011 22:36:37 +0800
From: René Moser [mail at renemoser dot net]
Sent: Tuesday, 22 February 2011 9:38 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] IPsec Tunnel DPD does not work


I am using 2 m0n0walls behind 2 dyn IPs (WAN). I am using DynDNS on both
systems. Both systems receiving a new IP every ~24h. (DynDNS default TTL
of CNAME is 60s)

I configured an IPsec tunnel on both systems, running fine. But after IP
change, the tunnel is dead. My IPsec config has a DPD of 60s (default).

When I restart racoon (disable/enable IPSec), the tunnel is up again

I am expecting m0n0wall should detect the dead pear and restart the tunnel.
Am I wrong? Or what does DPD (Dead Peer Detection) stand for?

René Moser


I mentioned this a couple of times but there are arguments about whether there is a problem or not.
I think unless somebody implements a timer to restart racoon or a new version of racoon there is no
fix for it. I tried a lot and gave up in the end. Others reported that they got it working but I had
Monowall behind three Dynamic DNS sites and it never worked. I always had the problem you mentioned
above. Cable sites are different since they usually get the same IP again after the reconnect. So
the Tunnel can be up for a couple of weeks. Not reliable though because as soon as you get a new IP
you have the same problem there.
If you need the functionality of Monowall but don't want to spend money for checkpoint or something
like that you can still enable external ssl access and fix the tunnels if required. It's a pain in
the ass though. I changed all sites to a different product and kept the monowalls for further




West Australian Newspapers Group
Privacy and Confidentiality Notice

The information contained herein and any attachments are intended solely for the named recipients.
It may contain privileged confidential information.  If you are not an intended recipient, please
delete the message and any attachments then notify the sender. Any use or disclosure of the contents
of either is unauthorised and may be unlawful. Any liability for viruses is excluded to the fullest
extent permitted by law.

Advertising Terms & Conditions
Please refer to the current rate card for advertising terms and conditions.  The rate card is
available on request or via www.thewest.com.au/ratecard

If you do not wish to receive emails such as this in future please reply to it with "unsubscribe" in
the subject line.