[strongSwan-dev] Question on IKEv1 DPD

Martin Willi martin at strongswan.org
Mon Aug 18 10:52:28 CEST 2014


> From reading the code and experimenting a bit, it seems that if no traffic
> is being sent using a child-sa (and query_policy consistently returns an
> old time), then eventually the child-sa will be deleted even though the
> peer does answer DPD requests.

Successful DPD exchanges actually should not influence the deletion of
any CHILD_SA; it closes the IKE/ISAKMP_SA with associated CHILD_SAs, but
only if the peer does not answer after some retransmits.

There is an "inactivity" option that closes CHILD_SAs if they carry no
traffic for some time, but that is not enabled by default. The CHILD_SA
might get deleted because of its lifetime, with a sane configuration it
should get rekeyed beforehand.

If you think you see an unexpected/wrong behavior, a log file would
certainly help to see what is going on.


More information about the Dev mailing list