[strongSwan] DPD issues when using multiple interfaces to same Gateway
Tobias Brunner
tobias at strongswan.org
Fri Apr 21 20:33:31 CEST 2017
Hi Anthony,
>> 1- Are DPD rules apply to individual tunnels? If one tunnel cannot
>> communicate with the Gateway but other are, what happen if DPD timer
>> expires in only one of them?
>
> Yes, they apply to each IKE_SA individually.
> A.M. DpdAction=clear, and multiple interfaces, after one DPD timer expires, it may not clear.
> If DpdAction=clear, and single interface, after DPD timer expires, it does clear.
So what happens instead? Please post some logs that show this
difference in behavior (and the config that goes with it).
>> 2- When we set DPD action as restart, do we need to terminate the
>> current IKE after DPD timer expires or it is done automatically?
>
> The SA will be automatically restarted.
> A.M. after the restart and the interface comes back up, the tunnel indicates ESTABLISHED, but is not useable.
What makes it unusable? Are routes missing? Firewall rules? Policies
or SAs in the kernel?
Regards,
Tobias
More information about the Users
mailing list