[strongSwan] Does dpd_delay make charon.keep_alive unnecessary?
Tobias Brunner
tobias at strongswan.org
Tue Nov 5 18:37:47 CET 2019
Hi Glen,
> If I set dpd_delay to something like 20s, does that make charon.keep_alive unnecessary, since the client now is guaranteed to receive packets at least once every 20s?
DPDs are sent only if no IKE or ESP traffic has been *received from* the
peer, on the other hand, NAT keepalives are sent only by initiators
behind a NAT and if not IKE or ESP traffic has been *sent to* the peer.
So it depends on the situation (NAT or not, NAT behavior) and the kind
of traffic you expect (uni- or bidirectional).
Also note that retransmits for DPDs do not follow the DPD delay but the
regular retransmission settings [1].
Using low DPD delays is also something not recommended in certain
situations (e.g. on servers for mobile roadwarriors, which might not be
reachable for a while).
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/Retransmission
More information about the Users
mailing list