[strongSwan-dev] Question on IKEv1 DPD
Noam Lampert
lampert at google.com
Mon Aug 18 11:48:09 CEST 2014
It looks like I hit send a bit too soon ;-)
I will investigate more and come back if this is still relevant.
Thanks,
Noam
On Mon, Aug 18, 2014 at 11:52 AM, Martin Willi <martin at strongswan.org>
wrote:
> Noam,
>
> > From reading the code and experimenting a bit, it seems that if no
> traffic
> > is being sent using a child-sa (and query_policy consistently returns an
> > old time), then eventually the child-sa will be deleted even though the
> > peer does answer DPD requests.
>
> Successful DPD exchanges actually should not influence the deletion of
> any CHILD_SA; it closes the IKE/ISAKMP_SA with associated CHILD_SAs, but
> only if the peer does not answer after some retransmits.
>
> There is an "inactivity" option that closes CHILD_SAs if they carry no
> traffic for some time, but that is not enabled by default. The CHILD_SA
> might get deleted because of its lifetime, with a sane configuration it
> should get rekeyed beforehand.
>
> If you think you see an unexpected/wrong behavior, a log file would
> certainly help to see what is going on.
>
> Regards
> Martin
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20140818/48aebab6/attachment.html>
More information about the Dev
mailing list