[strongSwan] roadwarrior ike/esp SA are not dropped after lifetime expiration
pupilla at hotmail.com
Tue Jan 9 14:36:27 CET 2018
Giuseppe De Marco <giuseppe.demarco at unical.it wrote:
Probably I'm wrong but I think that the Dead Peer Detection feature could be helpfull for you
# dead-peer detection to clear any "dangling" connections in case the client unexpectedly disconnects dpdaction=clear # If the tunnel has no traffic for this long (default 30 secs), Charon will send a dead peer detection packet. The value 0 means to not send such packets, relying on ordinary traffic, which will occur at least once an hour, which is the default rekeying lifetime. dpddelay=33s # DPD Retries : 3 dpdtimeout=300s
thanks for the tips. Yes indeed dpd should do the trick. But I would like to ask if the strongswan behaviour, (not dropping the IKE/IPSec SA after timeout) is the expected one.
More information about the Users