Hi Anthony, >> 1- Are DPD rules apply to individual tunnels? If one tunnel cannot >> communicate with the Gateway but other are, what happen if DPD timer >> expires in only one of them? > > Yes, they apply to each IKE_SA individually. > A.M. DpdAction=clear, and multiple interfaces, after one DPD timer expires, > it may not clear. > If DpdAction=clear, and single interface, after DPD timer expires, it does > clear.
So what happens instead? Please post some logs that show this difference in behavior (and the config that goes with it). >> 2- When we set DPD action as restart, do we need to terminate the >> current IKE after DPD timer expires or it is done automatically? > > The SA will be automatically restarted. > A.M. after the restart and the interface comes back up, the tunnel indicates > ESTABLISHED, but is not useable. What makes it unusable? Are routes missing? Firewall rules? Policies or SAs in the kernel? Regards, Tobias _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
