[strongSwan-dev] Help needed on Dead peer detection
bhashkar prakash singh
singh.bhashkar at gmail.com
Thu Feb 19 05:14:05 CET 2015
Thank you very much for your reply. I verified DPD with IKEV1 connection
and Dead peer is detected within 135 to 140 seconds. So, it's working fine
One more point, is DPD sent periodically to enquire if peer is dead or only
when there is no inbound traffic for 'dpddelay' seconds ?
I am a beginner in IPSecurity, not much idea abut strongswan. Is there any
Doc/guide to better understand strongswan code.
On Tue, Feb 17, 2015 at 8:27 PM, Tobias Brunner <tobias at strongswan.org>
> Hi Bhashkar,
> > In my Software, when Dead peer is detected, an alarm is thrown.
> > 'dpdtimeout = 120s and depdelay=10s' is set in IPSec.conf file.
> > Initially IPSec tunnel between my device and gateway is established
> > properly and packets can
> > flow between them. Then After some time I disable the physical interface
> > on my device, so after dpdtimeout = 120s, Dead peer
> > should be detected and alarm should be thrown. But I observe Dead peer
> > detection is taking more than 180 seconds. Around after
> > 190 seconds, Dead peer is detected and alarm is thrown. Can someone
> > help, why is it taking more then 120 seconds to detect Dead peer.
> As is documented in the ipsec.conf(5) man page and on the wiki , the
> `dpdtimeout` option has no effect on IKEv2 connections. For IKEv2 the
> default retransmission timeouts apply . With the default settings it
> should take 165s until the other peer is considered dead after a DPD (or
> any other packet) has been sent while the interface is disabled (it
> might take more than `dpddelay` seconds until a DPD is initially sent if
> there was still inbound traffic since the last check `dpddelay` seconds
>  https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
>  https://wiki.strongswan.org/projects/strongswan/wiki/Retransmission
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Dev