On Thu, 16 Feb 2017, Tuomo Soini wrote:
if auto=start you want dpd to restart tunnel
if auto=route|ondemand you want dpd to hold tunnel
if auto=add you want dpd to clear tunnel
If you have other requirement than this I'd like to hear about that.
With explanation.
So removing whole dpdaction= would be correct thing to do
I had forgotten about that discussion. Tuomo is right. The configuration
makes it obvious what action we would want to do - if we enabled DPD.
but still, if we now set defaults for dpdtimeout and dpddelay we enable
dpd for all vpn tunnels which might not be wanted effect. That would
also happen if we add dpd/liveness=on|off switch.
So any real fix requires breaking some configuration either by enabling
liveness checks or disabling them.
We could introduce dpd/liveness=on|off, default to off but if we see
delay+timeout we set it to on and log a warning. In a few years, we could
remove this implicit "on switch". And when the on/off switch is used, we
do populate with the default values for delay/timeout.
Only choise which doesn't break anything is not to set default values
and require dpdtimeout and dpddelay to be set to enable dpd/liveness
checks to happen.
But it does not fix things either :)
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
