On Tue, 24 Nov 2020, Balaji Thoguluva wrote:
I am using the below configuration with an intent to do IPsec rekey initiated
from Libreswan.
conn radcert
dpddelay=0s
dpdtimeout=0s
dpdaction=hold
don't set these to 0! That means whenever the code checks it deems your
connection is down.
timeout is time time elapsed for no responses before the tunnel is
deemed down. RFCs say it should never be less than 60s, but it is
possible to set this shorter.
delay is the time between probes, if the connection is idle. This should
also not be too short.
Remember, if your link is busy and congested, if a dpd packet gets
dropped it counts as failure towards the timeout period. If you
timeout on a working connection due to congestion, you will have
a hard time getting the connection up - it will also drop packets
for the setup of the new tunnel.
Try dpddelay=30s and dpdtimeout=60s
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
