[strongSwan] Alternative ways of controlling DPD

Martin Willi martin at strongswan.org
Fri Jul 6 16:55:30 CEST 2012

Hi Kristian,

> Is it possible to somehow write a plugin or modify the code so it is
> possible to make the behavior for DPD independent of the settings that
> are used in other situations?

Retransmission timeouts are currently global options.

Making these settings per-connection is not that trivial: We'd have to
introduce new ipsec.conf keywords, pass them via starter and stroke and
finally store them on the peer_cfg [1]. Then we could read these values
in the task manager [2]. No rocket-science, but needs some work.

While implementing IKEv1 DPD, we have added a connection specific DPD
timeout option to the peer_cfg. It is currently used for IKEv1 only, and
overrides the cumulative timeout to detect a dead peer. It does not
affect retransmission, but only the timeout. Maybe we should use a
similar behavior for IKEv2. This would be at least somewhat more
congruent, and brings connection specific DPD timeout.



More information about the Users mailing list