[strongSwan-dev] Cisco ASA Dead Peer Detection is not Interoperable

William Bloom william.bloom at kinetx.com
Thu Aug 26 17:51:03 CEST 2010

I've successfully configured a strongSwan client for use with an ASA (8.0).  However, in order for a VPN to remain stable, I had to disable 'isakmp keepalive' on the ASA.  It seems that the ASA never sees a DPD message reply from the strongSwan client, and so deletes the SAs after 3 DPD message tries.  I presume that strongSwan finds the ASA's DPD messges to be unrecognizable.

Although disabling the ASA DPD prevents the healthy, runing VPN from being unexpectedly kneecapped, I =need= DPD.  Otherwise, if the client crashes then the SAs linger on the ASA and obstruct a new new VPN from being negotiated with the client.

Suggestions?  Is interoperability with ASA DPD a feature that might appear in a future release?


More information about the Dev mailing list