[strongSwan] dpd ikev2
Roger Skjetlein
rskjetlein at netrunner.nu
Mon Oct 26 16:04:49 CET 2015
This is perfect.
Having turned off serverside reauth and rekey to allow all the broken
client implementations to work the amount of sessions are soaring after a
short while, but dpd will fix this for sure.
Managed to find a config that works with most of the client
implementations: ios 8,9, android, win 7-10 and os x 10.11
Good stuff.
RS
On Mon, Oct 26, 2015 at 3:58 PM, Tobias Brunner <tobias at strongswan.org>
wrote:
> Hi Roger,
>
> > To remedy this, would it be feasible to turn pn dpd, but with a very
> > long delay, such as 10 hours?
>
> Sure, any IKEv2 exchange will do the trick of clearing out old sessions
> (e.g. rekeying too, however, the trigger is different, see below).
>
> > The question really is if the dpd timeout counter starts from the last
> > packet received or will it be fixed to send dpd every 10 hours?
>
> A DPD is sent only if there hasn't been any *inbound* traffic (IKE or
> ESP) for the last 10 hours. A first check for this occurs 10h after the
> SA got established, if there was traffic, the next check will be
> scheduled for 10h-time_since_last_packet etc.
>
> Regards,
> Tobias
>
>
--
"Over vidden flyger renen;
efter den i vind og væde! -
Bedre det, end bryde stenen
op af fattig jord dernede!"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151026/5658444c/attachment.html>
More information about the Users
mailing list