Thanks for the detailed explanation. > NAT keepalives are sent only by initiators
In my case, the server also sends NAT keepalives, but it does live behind NAT. So I guess NAT keepalives maybe send by either side as long as it's NATed? BTW, it also got me thinking, maybe it’s a bad idea to put server behind NAT? I did that by putting server the inside docker, and used --cap-add NET_ADMIN as per the doc’s recommendation. Maybe I should use --net host to eliminate NAT to get better performance? > On Nov 6, 2019, at 1:37 AM, Tobias Brunner <[email protected]> wrote: > > Hi Glen, > >> If I set dpd_delay to something like 20s, does that make charon.keep_alive >> unnecessary, since the client now is guaranteed to receive packets at least >> once every 20s? > > DPDs are sent only if no IKE or ESP traffic has been *received from* the > peer, on the other hand, NAT keepalives are sent only by initiators > behind a NAT and if not IKE or ESP traffic has been *sent to* the peer. > So it depends on the situation (NAT or not, NAT behavior) and the kind > of traffic you expect (uni- or bidirectional). > > Also note that retransmits for DPDs do not follow the DPD delay but the > regular retransmission settings [1]. > > Using low DPD delays is also something not recommended in certain > situations (e.g. on servers for mobile roadwarriors, which might not be > reachable for a while). > > Regards, > Tobias > > [1] https://wiki.strongswan.org/projects/strongswan/wiki/Retransmission
