[strongSwan-dev] Cisco ASA Dead Peer Detection is not Interoperable
william.bloom at kinetx.com
Thu Aug 26 17:51:03 CEST 2010
I've successfully configured a strongSwan client for use with an ASA (8.0). However, in order for a VPN to remain stable, I had to disable 'isakmp keepalive' on the ASA. It seems that the ASA never sees a DPD message reply from the strongSwan client, and so deletes the SAs after 3 DPD message tries. I presume that strongSwan finds the ASA's DPD messges to be unrecognizable.
Although disabling the ASA DPD prevents the healthy, runing VPN from being unexpectedly kneecapped, I =need= DPD. Otherwise, if the client crashes then the SAs linger on the ASA and obstruct a new new VPN from being negotiated with the client.
Suggestions? Is interoperability with ASA DPD a feature that might appear in a future release?
More information about the Dev