[strongSwan] Usage questions: DPD and auto=

Martin Willi martin at strongswan.org
Mon Mar 9 15:17:10 CET 2015


Hi Tom,

> 1.) Since IKEv2 does not use DPD, should one omit the dpdaction 
> directives from ipsec.conf for a connection using IKEv2?

While IKEv2 does not use DPD, it provides a very similar mechanism
called liveness checks. The dpdaction and dpddelay keywords work for
both IKEv1 and IKEv2 in strongSwan. The dpdtimeout value is ignored for
IKEv2 connections, as the default retransmission timeout mechanism is
used to detect a non-responsive peer.

> 2.) Is it appropriate to use auto-route on both ends of a tunnel [...]
> avoid issues when both ends try to bring the tunnel up at the same
> time?

Usually yes. There is a risk of tunnel duplicates if both peers initiate
simultaneously, it depends on your traffic/setup if this can be an
issue. Having a replace uniqeids policy can help as well.

In the next 5.3.0 release or a build from our git tree, we actively
avoid any CHILD_SA setup conflicts by using a global reqid allocation
mechanism. While this can't eliminate the risk of duplicated tunnels,
traffic should flow nonetheless over such SAs.

Regards
Martin



More information about the Users mailing list