[strongSwan] Strongswan needs periodic restart to re-enable traffic between sites
Andreas Ntaflos
daff at pseudoterminal.org
Fri Apr 5 00:06:09 CEST 2013
On 2013-04-04 19:33, Andreas Steffen wrote:
> Hi Andreas,
>
> from you ipsec.conf file I see that you configured
>
> dpddelay = 30s
> dpdtimeout = 20s
>
> with dpdtimeout being shorter than dpdelay. This means that
> your connection restarts before the first DPD check happens.
> We recommend for dpdtimeout to be betwen 4-5 times higher
> than dpddelay, so that the connection is cut only if 4-5
> keep-alive packets are not received. In your case:
>
> dpddelay = 30s
> dpdtimeout = 150s
Thank you very much for that insight, that indeed seems to have solved
the issue! We also had a connection to another site with dpddelay = 20s
and dpdtimeout = 60s. Increasing that timeout to 120s seems to have
helped against multiple "DPD: No response from peer - declaring peer
dead" messages per day.
Thanks!
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130405/a1c38f53/attachment.pgp>
More information about the Users
mailing list