[strongSwan-dev] Cisco ASA Dead Peer Detection is not Interoperable

Andreas Steffen andreas.steffen at strongswan.org
Thu Aug 26 18:52:51 CEST 2010

Hi Bill,

DPD for IKEv1 is defined by RFC 3706


Therefore if interoperability cannot be achieved either strongSwan
or the ASA box must be blamed. In order to help you I need a
strongSwan log with plutodebug=all activated in ipsec.conf which
will allow me to have a closer look at the DPD packets the ASA
box is sending.



On 08/26/2010 05:51 PM, William Bloom wrote:
> I've successfully configured a strongSwan client for use with an ASA
> (8.0).  However, in order for a VPN to remain stable, I had to
> disable 'isakmp keepalive' on the ASA.  It seems that the ASA never
> sees a DPD message reply from the strongSwan client, and so deletes
> the SAs after 3 DPD message tries.  I presume that strongSwan finds
> the ASA's DPD messges to be unrecognizable.
> Although disabling the ASA DPD prevents the healthy, runing VPN from
> being unexpectedly kneecapped, I =need= DPD.  Otherwise, if the
> client crashes then the SAs linger on the ASA and obstruct a new new
> VPN from being negotiated with the client.
> Suggestions?  Is interoperability with ASA DPD a feature that might
> appear in a future release?
> Bill

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Dev mailing list