Director not sending icmp unreachable to expired clients

[Janusz Krzysztofik]

Julian Anastasov wrote:
> 	Hello,

Hi Julian,

> 	Any support for ISAKMP keep alives in your devices?

If you mean DPD (dead peer detect) - yes, it is supported (I use 
OpenSwan), but it does not work very well for me. In my case, several 
tunnels can use the same ISAKMP association, and only one of them is 
removed when the peer is assumed dead. Other tunnels stay on, ignoring 
ICMP port unreachable messages my patched director is sending, until 
they expire.

My current workaround is not using DPD, but setting a short rekey period 
(15 mins or less).

Cheers,
Janusz