On Thu, May 07, 2020 at 01:54:13PM +0200, Stephan Mending wrote: > Hi *, > I was wondering why there is no dead peer detection implemented for iked ? > > Is it just due to lack of time ? Or are there good reasons to dismiss > directly implemented dpd in iked ? > > Because technically one has the option to just use ifstated. > > I'm just being curios here.
AFAICT iked implements this behavior in ikev2.c:ikev2_ike_sa_alive, but it seems that before OpenBSD 6.7 it didn't send probes on completely idle SAs See https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sbin/iked/ikev2.c#rev1.214 Hopefully with 6.7 I can finally remove my ifstated ping checks.
