[strongSwan] Alternative ways of controlling DPD
martin at strongswan.org
Fri Jul 6 16:55:30 CEST 2012
> Is it possible to somehow write a plugin or modify the code so it is
> possible to make the behavior for DPD independent of the settings that
> are used in other situations?
Retransmission timeouts are currently global options.
Making these settings per-connection is not that trivial: We'd have to
introduce new ipsec.conf keywords, pass them via starter and stroke and
finally store them on the peer_cfg . Then we could read these values
in the task manager . No rocket-science, but needs some work.
While implementing IKEv1 DPD, we have added a connection specific DPD
timeout option to the peer_cfg. It is currently used for IKEv1 only, and
overrides the cumulative timeout to detect a dead peer. It does not
affect retransmission, but only the timeout. Maybe we should use a
similar behavior for IKEv2. This would be at least somewhat more
congruent, and brings connection specific DPD timeout.
More information about the Users