I've successfully configured a strongSwan client for use with an ASA (8.0). However, in order for a VPN to remain stable, I had to disable 'isakmp keepalive' on the ASA. It seems that the ASA never sees a DPD message reply from the strongSwan client, and so deletes the SAs after 3 DPD message tries. I presume that strongSwan finds the ASA's DPD messges to be unrecognizable.
Although disabling the ASA DPD prevents the healthy, runing VPN from being unexpectedly kneecapped, I =need= DPD. Otherwise, if the client crashes then the SAs linger on the ASA and obstruct a new new VPN from being negotiated with the client. Suggestions? Is interoperability with ASA DPD a feature that might appear in a future release? Bill _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
