Hi, I am using strongswan in my project. I need some help on Dead peer detection(DPD). In my Software, when Dead peer is detected, an alarm is thrown. 'dpdtimeout = 120s and depdelay=10s' is set in IPSec.conf file.
Initially IPSec tunnel between my device and gateway is established properly and packets can flow between them. Then After some time I disable the physical interface on my device, so after dpdtimeout = 120s, Dead peer should be detected and alarm should be thrown. But I observe Dead peer detection is taking more than 180 seconds. Around after 190 seconds, Dead peer is detected and alarm is thrown. Can someone help, why is it taking more then 120 seconds to detect Dead peer. Thank you very much in advance. *IPSec policy configuration on device:* config setup plutostart=yes plutodebug=none nat_traversal=no uniqueids=no charonstart=yes charondebug="dmn 1, mgr 1, ike 0, chd 1, job 0, cfg 0, knl 0, net 0, enc -1, lib -1" conn %default auto=start pfs=no forceencaps=no keyingtries=%forever mobike=no conn conn1 type=tunnel leftsubnet=10.10.10.12/24 rightsubnet=10.10.10.7/24 left=10.10.10.12 right=10.10.10.7 keyexchange=ikev2 reauth=no ike=aes128-sha1-modp1024,3des-sha1-modp1024! ikelifetime=83376s esp=aes128-sha1,3des-sha1! authby=pubkey rightid=%any keylife=86400s dpdaction=restart dpddelay=10s dpdtimeout=120s leftcert=/etc/ipsec.d/certs/btsCert.pem rekeyfuzz=50% rekeymargin=180s ============================================================ *IPSec Configuration on gateway:* config setup plutostart=yes plutodebug=none nat_traversal=no uniqueids=no charonstart=yes charondebug="dmn 1, mgr 1, ike 0, chd 1, job 0, cfg 0, knl 0, net 0, enc -1, l ib -1" conn %default auto=start pfs=no forceencaps=no keyingtries=%forever mobike=no conn conn1 type=tunnel leftsubnet=10.10.10.7/24 rightsubnet=10.10.10.12/24 left=10.10.10.7 right=10.10.10.12 keyexchange=ikev2 reauth=no ike=aes128-sha1-modp1024,3des-sha1-modp1024! ikelifetime=83376s esp=aes128-sha1,3des-sha1! authby=pubkey rightid=%any keylife=300s dpdaction=restart dpddelay=10s dpdtimeout=120s leftcert=/etc/ipsec.d/certs/btsCert.pem rekeyfuzz=50% rekeymargin=180s Regards, Bhashkar
_______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
