Hi Youngsang, since IKEv2 uses INFORMATIONAL requests for DPD the regular retransmission scheme for IKEv2 messages with 5 trials applies:
See the following sample scenario with dpddelay = 10 seconds: http://www.strongswan.org/uml/testresults42/ikev2/dpd-clear/ Jan 21 01:55:15 moon charon: 11[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500] # DPD message sent after dpddelay = 10s: Jan 21 01:55:25 moon charon: 12[IKE] sending DPD request Jan 21 01:55:25 moon charon: 12[ENC] generating INFORMATIONAL request 0 [ ] Jan 21 01:55:25 moon charon: 12[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500] # First retransmission after 4 seconds: Jan 21 01:55:29 moon charon: 13[IKE] retransmit 1 of request with message ID 0 Jan 21 01:55:29 moon charon: 13[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500] # Second retransmission after another 7 seconds: Jan 21 01:55:36 moon charon: 15[IKE] retransmit 2 of request with message ID 0 Jan 21 01:55:36 moon charon: 15[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500] # Third retransmission after another 13 seconds: Jan 21 01:55:49 moon charon: 03[IKE] retransmit 3 of request with message ID 0 Jan 21 01:55:49 moon charon: 03[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500] # Fourth retransmission after another 24 seconds: Jan 21 01:56:13 moon charon: 11[IKE] retransmit 4 of request with message ID 0 Jan 21 01:56:13 moon charon: 11[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500] # Fifth retransmission after another 42 seconds: Jan 21 01:56:55 moon charon: 16[IKE] retransmit 5 of request with message ID 0 Jan 21 01:56:55 moon charon: 16[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500] # No answer - peer is declared dead after 2 minutes and 45 seconds: Jan 21 01:58:10 moon charon: 15[IKE] giving up after 5 retransmits This behaviour is hard-coded and cannot be changed. Best regards Andreas Youngsang Shin wrote: > Hi all, > > Which value is usually set for DPD timeout in a real IKEv2 setup? If > DPD is not used, any other keepalive timeout value? > > It seems that strongSwan's default value for DPDtimeout is 120 > seconds. This value is commonly used in a real environment? > > > Thanks, > Youngsang > ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
