[strongSwan] roadwarrior ike/esp SA are not dropped after lifetime expiration
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Jan 11 13:00:16 CET 2018
AFAIK you can use `inactivity=$time`, but it only pertains the CHILD_SAs (unless charon.inactivity_close_ike is set to "yes"). DPD only pertains IKE_SAs. If an IKE_SA is deleted (and not rekeyed), its CHILD_SAs are deleted, too.
It probably works if you use both inactivity and set charon.inactivity_close_ike = yes in /etc/strongswan.d/charon.conf.
Kind regards
Noel
On 09.01.2018 14:36, Marco Berizzi wrote:
> Giuseppe De Marco <giuseppe.demarco at unical.it wrote:
>
> Ciao Marco,
>
> Probably I'm wrong but I think that the Dead Peer Detection feature could be helpfull for you
>
> # dead-peer detection to clear any "dangling" connections in case the client unexpectedly disconnects dpdaction=clear # If the tunnel has no traffic for this long (default 30 secs), Charon will send a dead peer detection packet. The value 0 means to not send such packets, relying on ordinary traffic, which will occur at least once an hour, which is the default rekeying lifetime. dpddelay=33s # DPD Retries : 3 dpdtimeout=300s
>
>
> Hi Giuseppe,
>
> thanks for the tips. Yes indeed dpd should do the trick. But I would like to ask if the strongswan behaviour, (not dropping the IKE/IPSec SA after timeout) is the expected one.
>
> Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180111/044b88a7/attachment.sig>
More information about the Users
mailing list