Hi Tom, > 1.) Since IKEv2 does not use DPD, should one omit the dpdaction > directives from ipsec.conf for a connection using IKEv2?
While IKEv2 does not use DPD, it provides a very similar mechanism called liveness checks. The dpdaction and dpddelay keywords work for both IKEv1 and IKEv2 in strongSwan. The dpdtimeout value is ignored for IKEv2 connections, as the default retransmission timeout mechanism is used to detect a non-responsive peer. > 2.) Is it appropriate to use auto-route on both ends of a tunnel [...] > avoid issues when both ends try to bring the tunnel up at the same > time? Usually yes. There is a risk of tunnel duplicates if both peers initiate simultaneously, it depends on your traffic/setup if this can be an issue. Having a replace uniqeids policy can help as well. In the next 5.3.0 release or a build from our git tree, we actively avoid any CHILD_SA setup conflicts by using a global reqid allocation mechanism. While this can't eliminate the risk of duplicated tunnels, traffic should flow nonetheless over such SAs. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
