On Tue, 2014-01-21 at 08:02 -0800, Kevin Cernekee wrote: > On Tue, Jan 21, 2014 at 2:47 AM, Nikos Mavrogiannopoulos > <nmav at gnutls.org> wrote: > > I have not tried yet, but a question on that. On the CSTP reconnect is the > > DTLS channel kept open or it is also re-opened? If it is kept opened then > > the warnings you see are normal as ocserv handles the CSTP channel as > > control and once discarded the DTLS channel is discarded as well. > > The old behavior was to keep it open. The new behavior is to > close+reopen DTLS on CSTP reconnect. Hm, is that necessary? One of the reasons why a VPN should run over UDP instead of TCP is because TCP connections stall when there's packet loss. So on a crappy connection you *do* end up with CSTP reconnects due to aggressive DPD, while the DTLS is still quite happily running. I seem to recall that my testing, back when this was first implemented, seemed to show that DTLS would happily keep going even while the CSTP was reconnecting, with no loss of service. Hm, wait a minute... doesn't cstp_reconnect() block? In which case I *must* have just made up that previous recollection? The DTLS connection did continue to work, but perhaps openconnect never actually made *use* of that to provide seamless service? -- David Woodhouse Open Source Technology Centre David.Woodhouse at intel.com Intel Corporation -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6242 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20140121/6a0706e5/attachment.bin>
