Hi Glen, > If I set dpd_delay to something like 20s, does that make charon.keep_alive > unnecessary, since the client now is guaranteed to receive packets at least > once every 20s?
DPDs are sent only if no IKE or ESP traffic has been *received from* the peer, on the other hand, NAT keepalives are sent only by initiators behind a NAT and if not IKE or ESP traffic has been *sent to* the peer. So it depends on the situation (NAT or not, NAT behavior) and the kind of traffic you expect (uni- or bidirectional). Also note that retransmits for DPDs do not follow the DPD delay but the regular retransmission settings [1]. Using low DPD delays is also something not recommended in certain situations (e.g. on servers for mobile roadwarriors, which might not be reachable for a while). Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/Retransmission
