[strongSwan] roadwarrior ike/esp SA are not dropped after lifetime expiration

Marco Berizzi pupilla at hotmail.com
Tue Jan 9 14:36:27 CET 2018

Giuseppe De Marco <giuseppe.demarco at unical.it wrote:

Ciao Marco,

 Probably I'm wrong but I think that the Dead Peer Detection feature could be helpfull for you

  # dead-peer detection to clear any "dangling" connections in case the client unexpectedly disconnects   dpdaction=clear   # If the tunnel has no traffic for this long (default 30 secs), Charon will send a dead peer detection packet. The value 0 means to not send such packets, relying on ordinary traffic, which will occur at least once an hour, which is the default rekeying lifetime.   dpddelay=33s   #  DPD Retries : 3   dpdtimeout=300s  

Hi Giuseppe,

thanks for the tips. Yes indeed dpd should do the trick. But I would like to ask if the strongswan behaviour, (not dropping the IKE/IPSec SA after timeout) is the expected one.


More information about the Users mailing list