[strongSwan] what is the difference between hold and clear in dpd-action for IKEv2
Martin Willi
martin at strongswan.org
Wed May 19 14:47:45 CEST 2010
Hi,
> I’ve been trying to find out what is the difference between hold and
> clear in strongswan (IKEv2). The documentation is very vague!
"clear" means: remove policy and state entries from the kernel.
"hold" means: remove the state entries, but keep the policies and
reinitiate the tunnel on matching traffic.
> auto=route
With auto=route, this difference does not make a lot of sense. The
policies are already installed at startup, and there is no need to
reinstall them with dpdaction=restart.
> SPD policies are not touched. (I wonder which is the other CHILD_SA…
> there isn’t any other IPsec configurations)
With auto=route, a CHILD_SA stub is installed with the policies to
trigger a tunnel on traffic. It is not removed, regardless of what the
negotiated CHILD_SAs do.
Regards
Martin
More information about the Users
mailing list