[strongSwan-dev] Cisco ASA Dead Peer Detection is not Interoperable
andreas.steffen at strongswan.org
Thu Aug 26 18:52:51 CEST 2010
DPD for IKEv1 is defined by RFC 3706
Therefore if interoperability cannot be achieved either strongSwan
or the ASA box must be blamed. In order to help you I need a
strongSwan log with plutodebug=all activated in ipsec.conf which
will allow me to have a closer look at the DPD packets the ASA
box is sending.
On 08/26/2010 05:51 PM, William Bloom wrote:
> I've successfully configured a strongSwan client for use with an ASA
> (8.0). However, in order for a VPN to remain stable, I had to
> disable 'isakmp keepalive' on the ASA. It seems that the ASA never
> sees a DPD message reply from the strongSwan client, and so deletes
> the SAs after 3 DPD message tries. I presume that strongSwan finds
> the ASA's DPD messges to be unrecognizable.
> Although disabling the ASA DPD prevents the healthy, runing VPN from
> being unexpectedly kneecapped, I =need= DPD. Otherwise, if the
> client crashes then the SAs linger on the ASA and obstruct a new new
> VPN from being negotiated with the client.
> Suggestions? Is interoperability with ASA DPD a feature that might
> appear in a future release?
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
More information about the Dev