[strongSwan] dpd ikev2
Tobias Brunner
tobias at strongswan.org
Mon Oct 26 15:58:24 CET 2015
Hi Roger,
> To remedy this, would it be feasible to turn pn dpd, but with a very
> long delay, such as 10 hours?
Sure, any IKEv2 exchange will do the trick of clearing out old sessions
(e.g. rekeying too, however, the trigger is different, see below).
> The question really is if the dpd timeout counter starts from the last
> packet received or will it be fixed to send dpd every 10 hours?
A DPD is sent only if there hasn't been any *inbound* traffic (IKE or
ESP) for the last 10 hours. A first check for this occurs 10h after the
SA got established, if there was traffic, the next check will be
scheduled for 10h-time_since_last_packet etc.
Regards,
Tobias
More information about the Users
mailing list