[strongSwan] Does dpd_delay make charon.keep_alive unnecessary?

Tobias Brunner tobias at strongswan.org
Fri Nov 8 09:30:00 CET 2019


Hi Glen,

> So I guess NAT keepalives maybe send by either side as long as it's NATed?

You are right.  I thought we disabled that on responders at some point
as a NAT on that end usually has to be static so keepalives are not
necessary.  But it's possible that we left it as is with dynamic double
NAT scenarios via mediation extension in mind.  It could always be
disabled on servers behind static NATs via charon.keep_alive=0.

> Maybe I should use --net host to eliminate NAT to get better performance?

Unless your clients are *not* behind a NAT, it probably doesn't make
that much of a difference as UDP encapsulation will be required anyway.
 But sure, for full performance you probably want to avoid the
additional NAT.

Regards,
Tobias


More information about the Users mailing list