[strongSwan-dev] Help needed on Dead peer detection

Tobias Brunner tobias at strongswan.org
Tue Feb 17 15:57:02 CET 2015

Hi Bhashkar,

> In my Software, when Dead peer is detected, an alarm is thrown.
> 'dpdtimeout = 120s and depdelay=10s' is set in IPSec.conf file.
> Initially IPSec tunnel between my device and gateway is established
> properly and packets can
> flow between them. Then After some time I disable the physical interface
> on my device, so after dpdtimeout = 120s, Dead peer
> should be detected and alarm should be thrown. But I observe Dead peer
> detection is taking more than 180 seconds. Around after
> 190 seconds, Dead peer is detected and alarm is thrown. Can someone
> help, why is it taking  more then 120 seconds to detect Dead peer.

As is documented in the ipsec.conf(5) man page and on the wiki [1], the
`dpdtimeout` option has no effect on IKEv2 connections.  For IKEv2 the
default retransmission timeouts apply [2].  With the default settings it
should take 165s until the other peer is considered dead after a DPD (or
any other packet) has been sent while the interface is disabled (it
might take more than `dpddelay` seconds until a DPD is initially sent if
there was still inbound traffic since the last check `dpddelay` seconds


[1] https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
[2] https://wiki.strongswan.org/projects/strongswan/wiki/Retransmission

More information about the Dev mailing list