Noam, > From reading the code and experimenting a bit, it seems that if no traffic > is being sent using a child-sa (and query_policy consistently returns an > old time), then eventually the child-sa will be deleted even though the > peer does answer DPD requests.
Successful DPD exchanges actually should not influence the deletion of any CHILD_SA; it closes the IKE/ISAKMP_SA with associated CHILD_SAs, but only if the peer does not answer after some retransmits. There is an "inactivity" option that closes CHILD_SAs if they carry no traffic for some time, but that is not enabled by default. The CHILD_SA might get deleted because of its lifetime, with a sane configuration it should get rekeyed beforehand. If you think you see an unexpected/wrong behavior, a log file would certainly help to see what is going on. Regards Martin _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
