[strongSwan] Strongswan needs periodic restart to re-enable traffic between sites

Andreas Ntaflos daff at pseudoterminal.org
Fri Apr 5 00:06:09 CEST 2013

On 2013-04-04 19:33, Andreas Steffen wrote:
> Hi Andreas,
> from you ipsec.conf file I see that you configured
>      dpddelay        = 30s
>      dpdtimeout      = 20s
> with dpdtimeout being shorter than dpdelay. This means that
> your connection restarts before the first DPD check happens.
> We recommend for dpdtimeout to be betwen 4-5 times higher
> than dpddelay, so that the connection is cut only if 4-5
> keep-alive packets are not received. In your case:
>      dpddelay        = 30s
>      dpdtimeout      = 150s

Thank you very much for that insight, that indeed seems to have solved
the issue! We also had a connection to another site with dpddelay = 20s
and dpdtimeout = 60s. Increasing that timeout to 120s seems to have
helped against multiple "DPD: No response from peer - declaring peer
dead" messages per day.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130405/a1c38f53/attachment.pgp>

More information about the Users mailing list