[strongSwan] issue when configuring dpdaction=restart in ipsec.conf
Tobias Brunner
tobias at strongswan.org
Tue Feb 12 12:45:33 CET 2013
Hi Bhargav,
Please keep the discussion on the mailing list.
> I am using quite older version.
> strongSwan 4.3.6
>
> One more doubt:
> Can you tell what exactly this dpdaction=restart does. Is there any
> dependency for auto=route and dpdaction=restart.
dpdaction=restart reestablishes a CHILD_SA if the other peer seems to be
dead (DPD = Dead Peer Detection). With IKEv2 for every request
retransmits will be sent if no response is received within a certain
time (see [1] for configuration options). After a configurable number
of failed tries the other peer is considered dead and the action
configured with dpdaction is performed. If the dpddelay option is
larger than 0 empty INFORMATIONAL exchanges will be initiated at the
configured interval to verify that the other peer is still alive.
Please have a look at the documentation at [2] for details.
And no, auto=route and dpdaction=restart are not strictly related but
with auto=route dpdaction=clear might be sufficient as matching traffic
will reestablish the SA anyway.
Regards,
Tobias
[1] http://wiki.strongswan.org/projects/strongswan/wiki/Retransmission
[2] http://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
More information about the Users
mailing list