[strongSwan] Query regarding DPD with Linux

Mon Jun 13 11:15:08 CEST 2011

Hello Sandeep,

at least with the Linux netkey ipsec stack, all IPsec SAs related
to an IPsec policy via a reqid must be established between the
same two endpoints. Dead peer detection is about detecting dead
endpoints and not unused IPsec SAs. Thus it does not matter on
which specific IPsec SA you receive or don't receive traffic.
If no packets at all from a given endpoint are received then
you just kill the IKE_SA and all dependent CHILD_SAs shared with
that endpoint.

Best regards

Andreas

On 06/13/2011 07:27 AM, sandeep malik wrote:
> Thanks Andreas for answering the query. Please help me understand how
> DPD will work in following scenario:
>
> There is a system where we have one policy and under that policy there
> are three different SA's (tunnels). Now out of these three tunnels say
> traffic stops on two tunnels. Now when DPD queries it will get the
> policy_use_time with updated value since one of the tunnel is still active.
>
> So as per my understanding the DPD will consider the underlying tunnel
> idle only when all tunnels using one policy are idle. Is it correct or
> is there any other link which I am not able to understand.
>
> Regards,
> Sandeep Malik
>
> On Fri, Jun 10, 2011 at 3:40 PM, Andreas Steffen
> <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
> wrote:
>
>     Hello Malik,
>
>     we are using policy_use_time, because the state_use_time gets set
>     only once when the first packet is processed and is never updated
>     after that.
>
>     Regards
>
>     Andreas
>
>     On 10.06.2011 06:18, sandeep malik wrote:
>      > Hi Andreas,
>      >
>      > I was trying to go through the DPD implementation of strongswan
>     w.r.to <http://w.r.to>
>      > <http://w.r.to> Linux 2.6 kernel. We are using the Linux 2.6.35
>     kernel
>      > and need you help in understanding how strongswan implements DPD
>     for Linux.
>      >
>      > When I did some googling I found you had a discussion with Herbert
>      > regarding this and he suggested to use the policy use_time for
>      > implementing the DPD with Linux. I have following queries:
>      >
>      > Does strongswan uses the policy use_time or state use_time for both
>      > IKEv1 and IKEv2?
>      >
>      > How does this help as per my understanding DPD shall use tunnel
>     use_time
>      > as there might be a scenario where in single policy have multiple
>     SA's
>      > and one of the SA might be active while rest inactive but the DPD
>     won't
>      > be triggered for inactive SA's as the policy use_time will keep
>     on updating.
>      >
>      > Regards,
>      > Malik

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==