Hi Tobias, Thank you very much for your reply. I verified DPD with IKEV1 connection and Dead peer is detected within 135 to 140 seconds. So, it's working fine
One more point, is DPD sent periodically to enquire if peer is dead or only when there is no inbound traffic for 'dpddelay' seconds ? I am a beginner in IPSecurity, not much idea abut strongswan. Is there any Doc/guide to better understand strongswan code. Thanks, Bhashkar On Tue, Feb 17, 2015 at 8:27 PM, Tobias Brunner <[email protected]> wrote: > Hi Bhashkar, > > > In my Software, when Dead peer is detected, an alarm is thrown. > > 'dpdtimeout = 120s and depdelay=10s' is set in IPSec.conf file. > > > > Initially IPSec tunnel between my device and gateway is established > > properly and packets can > > flow between them. Then After some time I disable the physical interface > > on my device, so after dpdtimeout = 120s, Dead peer > > should be detected and alarm should be thrown. But I observe Dead peer > > detection is taking more than 180 seconds. Around after > > 190 seconds, Dead peer is detected and alarm is thrown. Can someone > > help, why is it taking more then 120 seconds to detect Dead peer. > > As is documented in the ipsec.conf(5) man page and on the wiki [1], the > `dpdtimeout` option has no effect on IKEv2 connections. For IKEv2 the > default retransmission timeouts apply [2]. With the default settings it > should take 165s until the other peer is considered dead after a DPD (or > any other packet) has been sent while the interface is disabled (it > might take more than `dpddelay` seconds until a DPD is initially sent if > there was still inbound traffic since the last check `dpddelay` seconds > ago). > > Regards, > Tobias > > [1] https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection > [2] https://wiki.strongswan.org/projects/strongswan/wiki/Retransmission > >
_______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
