AFAIK you can use `inactivity=$time`, but it only pertains the CHILD_SAs (unless charon.inactivity_close_ike is set to "yes"). DPD only pertains IKE_SAs. If an IKE_SA is deleted (and not rekeyed), its CHILD_SAs are deleted, too. It probably works if you use both inactivity and set charon.inactivity_close_ike = yes in /etc/strongswan.d/charon.conf.
Kind regards Noel On 09.01.2018 14:36, Marco Berizzi wrote: > Giuseppe De Marco <[email protected] wrote: > > Ciao Marco, > > Probably I'm wrong but I think that the Dead Peer Detection feature could be > helpfull for you > > # dead-peer detection to clear any "dangling" connections in case the > client unexpectedly disconnects dpdaction=clear # If the tunnel has no > traffic for this long (default 30 secs), Charon will send a dead peer > detection packet. The value 0 means to not send such packets, relying on > ordinary traffic, which will occur at least once an hour, which is the > default rekeying lifetime. dpddelay=33s # DPD Retries : 3 > dpdtimeout=300s > > > Hi Giuseppe, > > thanks for the tips. Yes indeed dpd should do the trick. But I would like to > ask if the strongswan behaviour, (not dropping the IKE/IPSec SA after > timeout) is the expected one. > > Thanks
signature.asc
Description: OpenPGP digital signature
