Dang Nabbit. Now that you say it, I can see it. Don' t know why I couldn't see it before.
Anyway, thanks Martin. I'm appreciating both the information and the tone of your reply. -- Ricky Charlet -----Original Message----- From: Martin Willi [mailto:[email protected]] Sent: Thursday, January 23, 2014 10:47 PM To: Charlet, Ricky Cc: [email protected] Subject: Re: [strongSwan-dev] Q: is ikev1 dpd sensitive to ipsec traffic as proof of liveness? Hi, > My question is if ikev1 dpd is sensitive to ipsec-sa (those ipsec-sas > known to be children of 'this' ike-sa) traffic as a proof of peer > liveness. Yes, a DPD check is omitted if any traffic has been received recently on one of the CHILD_SAs/Quick Modes. > last_in = get_use_time(this, TRUE); > now = time_monotonic(NULL); > diff = now - last_in; > if (!delay || diff >= delay) > { > The relevant call to get_use_time above looks at a stat named > STAT_INBOUND on the ike sa which records the last time traffic was > observed. The calls to set_statistic(STAT_INBOUND) only occur in ike > message processing, as far as I can tell. That mentioned get_use_time() function also queries all CHILD_SAs for the last inbound traffic. Each CHILD_SA then queries the IPsec backend (the kernel) for the last SA use. Regards Martin _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
