Hi,
> My question is if ikev1 dpd is sensitive to ipsec-sa (those ipsec-sas
> known to be children of 'this' ike-sa) traffic as a proof of peer
> liveness.
Yes, a DPD check is omitted if any traffic has been received recently on
one of the CHILD_SAs/Quick Modes.
> last_in = get_use_time(this, TRUE);
> now = time_monotonic(NULL);
> diff = now - last_in;
> if (!delay || diff >= delay)
> {
> The relevant call to get_use_time above looks at a stat named
> STAT_INBOUND on the ike sa which records the last time traffic was
> observed. The calls to set_statistic(STAT_INBOUND) only occur in ike
> message processing, as far as I can tell.
That mentioned get_use_time() function also queries all CHILD_SAs for
the last inbound traffic. Each CHILD_SA then queries the IPsec backend
(the kernel) for the last SA use.
Regards
Martin
_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev
