[strongSwan] Does dpd_delay make charon.keep_alive unnecessary?

[Glen Huang]

Thanks for the detailed explanation.

> NAT keepalives are sent only by initiators

In my case, the server also sends NAT keepalives, but it does live behind NAT. So I guess NAT keepalives maybe send by either side as long as it's NATed?

BTW, it also got me thinking, maybe it’s a bad idea to put server behind NAT? I did that by putting server the inside docker, and used --cap-add NET_ADMIN as per the doc’s recommendation. Maybe I should use --net host to eliminate NAT to get better performance?

> On Nov 6, 2019, at 1:37 AM, Tobias Brunner <tobias at strongswan.org> wrote:
> 
> Hi Glen,
> 
>> If I set dpd_delay to something like 20s, does that make charon.keep_alive unnecessary, since the client now is guaranteed to receive packets at least once every 20s?
> 
> DPDs are sent only if no IKE or ESP traffic has been *received from* the
> peer, on the other hand, NAT keepalives are sent only by initiators
> behind a NAT and if not IKE or ESP traffic has been *sent to* the peer.
> So it depends on the situation (NAT or not, NAT behavior) and the kind
> of traffic you expect (uni- or bidirectional).
> 
> Also note that retransmits for DPDs do not follow the DPD delay but the
> regular retransmission settings [1].
> 
> Using low DPD delays is also something not recommended in certain
> situations (e.g. on servers for mobile roadwarriors, which might not be
> reachable for a while).
> 
> Regards,
> Tobias
> 
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/Retransmission