Hi Bill, DPD for IKEv1 is defined by RFC 3706
http://tools.ietf.org/html/rfc3706 Therefore if interoperability cannot be achieved either strongSwan or the ASA box must be blamed. In order to help you I need a strongSwan log with plutodebug=all activated in ipsec.conf which will allow me to have a closer look at the DPD packets the ASA box is sending. Regards Andreas On 08/26/2010 05:51 PM, William Bloom wrote: > > I've successfully configured a strongSwan client for use with an ASA > (8.0). However, in order for a VPN to remain stable, I had to > disable 'isakmp keepalive' on the ASA. It seems that the ASA never > sees a DPD message reply from the strongSwan client, and so deletes > the SAs after 3 DPD message tries. I presume that strongSwan finds > the ASA's DPD messges to be unrecognizable. > > Although disabling the ASA DPD prevents the healthy, runing VPN from > being unexpectedly kneecapped, I =need= DPD. Otherwise, if the > client crashes then the SAs linger on the ASA and obstruct a new new > VPN from being negotiated with the client. > > Suggestions? Is interoperability with ASA DPD a feature that might > appear in a future release? > > > Bill > ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
