On Tue, Jun 09, 2020 at 06:29:05PM +0000, Leclerc, Sebastien wrote: > > Before 6.7 iked didn't start DPD in this particular case. > > It kicks in if the tunnel is up and there haven't been any incoming ESP > > packets > > in the last 5 minutes. > > A possible workaround would be to ping through the tunnel to have at least > > one > > incoming packet every 5 minutes. > > There is definitely ESP packets continuously, as there are 3-8 RDP sessions > in this tunnel during workhours. That's why it's a problem, people get their > RDP session disconnected every 8 minutes. >
If true that would certainly be a bug. Could you try running iked with -dvv and look for ikev2_ike_sa_alive messages? It should look like this: ikev2_ike_sa_alive: incoming CHILD SA spi 0x88888888 last used 0 second(s) ago "ipsecctl -sa -v" shows you SA packet counters, if you find one that has 0 input packets that's probably the cause.
