[strongSwan] DPD
jeelan
jeelanp2003 at yahoo.com
Thu Jun 16 15:06:43 CEST 2011
Eduardo Torres <Eduardo.Torres at ...> writes:
>
> Hi Martin,
>
> Any idea why StrongSwan only re-tries 5 times before destroying the IKE_SA.
> Is that value hard-coded or is any parameter I can change?
>
> Thanks and Regards
> Eduardo
>
DPD with nat-t on the responder seem to cause issues (initiator
behind nat).
If nat binding changes on the nat-box, dpd from the responder
side can not pass through the NAT box causing it give up after
5 retries and IKE SA gets deleted. Once this happens any nat-binding
changes can not be updated onto child SAs. Hence all pkt paths break
and both phase-1 and phase-2 have to be redone.
This does not look good. Should not the reponder try DPD using new
ports when the nat-binding on the nat-box change? Only child SAs
seem to migrate. IKE SA does not migrate to new ports.
I am using strongswan-4.5.0.
Any help will be greatly appreciated.
Thanks,
Best Regards,
jeelan.
More information about the Users
mailing list