Hi Bhashkar, > In my Software, when Dead peer is detected, an alarm is thrown. > 'dpdtimeout = 120s and depdelay=10s' is set in IPSec.conf file. > > Initially IPSec tunnel between my device and gateway is established > properly and packets can > flow between them. Then After some time I disable the physical interface > on my device, so after dpdtimeout = 120s, Dead peer > should be detected and alarm should be thrown. But I observe Dead peer > detection is taking more than 180 seconds. Around after > 190 seconds, Dead peer is detected and alarm is thrown. Can someone > help, why is it taking more then 120 seconds to detect Dead peer.
As is documented in the ipsec.conf(5) man page and on the wiki [1], the `dpdtimeout` option has no effect on IKEv2 connections. For IKEv2 the default retransmission timeouts apply [2]. With the default settings it should take 165s until the other peer is considered dead after a DPD (or any other packet) has been sent while the interface is disabled (it might take more than `dpddelay` seconds until a DPD is initially sent if there was still inbound traffic since the last check `dpddelay` seconds ago). Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection [2] https://wiki.strongswan.org/projects/strongswan/wiki/Retransmission _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
