[strongSwan] Alternative ways of controlling DPD
Kristian.Lippert at tieto.com
Kristian.Lippert at tieto.com
Mon Jul 30 12:25:48 CEST 2012
Hi
Thanks for the reply.
Is it possible to get callbacks when Strongswan identifies that no traffic happens (the first step in the DPD), and then when traffic happens again?
In this way we can implement our own custom DPD!
Best Regards,
Kristian
-----Original Message-----
From: Martin Willi [mailto:martin at strongswan.org]
Sent: 6. juli 2012 16:56
To: Lippert Kristian
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] Alternative ways of controlling DPD
Hi Kristian,
> Is it possible to somehow write a plugin or modify the code so it is
> possible to make the behavior for DPD independent of the settings that
> are used in other situations?
Retransmission timeouts are currently global options.
Making these settings per-connection is not that trivial: We'd have to
introduce new ipsec.conf keywords, pass them via starter and stroke and
finally store them on the peer_cfg [1]. Then we could read these values
in the task manager [2]. No rocket-science, but needs some work.
While implementing IKEv1 DPD, we have added a connection specific DPD
timeout option to the peer_cfg. It is currently used for IKEv1 only, and
overrides the cumulative timeout to detect a dead peer. It does not
affect retransmission, but only the timeout. Maybe we should use a
similar behavior for IKEv2. This would be at least somewhat more
congruent, and brings connection specific DPD timeout.
Regards
Martin
[1]http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/config/peer_cfg.h;h=57215350566fded3f5c0c33c5d6e145639ff706c;hb=HEAD#l97
[2]http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/sa/ikev2/task_manager_v2.c;h=81367d21c8156b33c53124756644e503dde21d02;hb=HEAD#l1497
More information about the Users
mailing list