Discussion:
[strongSwan] dpd ikev2
Roger Skjetlein
2015-10-26 14:29:22 UTC
Permalink
Hi,

really not wanting to use dpd to allow clients to stay connected for a long
time, I've opted to turn off the dpd with the result of having an
increasing amount of sessions not reused.

To remedy this, would it be feasible to turn pn dpd, but with a very long
delay, such as 10 hours?

The question really is if the dpd timeout counter starts from the last
packet received or will it be fixed to send dpd every 10 hours?

RS
--
"Over vidden flyger renen;
efter den i vind og vÊde! -
Bedre det, end bryde stenen
op af fattig jord dernede!"
Tobias Brunner
2015-10-26 14:58:24 UTC
Permalink
Hi Roger,
Post by Roger Skjetlein
To remedy this, would it be feasible to turn pn dpd, but with a very
long delay, such as 10 hours?
Sure, any IKEv2 exchange will do the trick of clearing out old sessions
(e.g. rekeying too, however, the trigger is different, see below).
Post by Roger Skjetlein
The question really is if the dpd timeout counter starts from the last
packet received or will it be fixed to send dpd every 10 hours?
A DPD is sent only if there hasn't been any *inbound* traffic (IKE or
ESP) for the last 10 hours. A first check for this occurs 10h after the
SA got established, if there was traffic, the next check will be
scheduled for 10h-time_since_last_packet etc.

Regards,
Tobias
Roger Skjetlein
2015-10-26 15:04:49 UTC
Permalink
This is perfect.

Having turned off serverside reauth and rekey to allow all the broken
client implementations to work the amount of sessions are soaring after a
short while, but dpd will fix this for sure.

Managed to find a config that works with most of the client
implementations: ios 8,9, android, win 7-10 and os x 10.11

Good stuff.

RS
Post by Tobias Brunner
Hi Roger,
Post by Roger Skjetlein
To remedy this, would it be feasible to turn pn dpd, but with a very
long delay, such as 10 hours?
Sure, any IKEv2 exchange will do the trick of clearing out old sessions
(e.g. rekeying too, however, the trigger is different, see below).
Post by Roger Skjetlein
The question really is if the dpd timeout counter starts from the last
packet received or will it be fixed to send dpd every 10 hours?
A DPD is sent only if there hasn't been any *inbound* traffic (IKE or
ESP) for the last 10 hours. A first check for this occurs 10h after the
SA got established, if there was traffic, the next check will be
scheduled for 10h-time_since_last_packet etc.
Regards,
Tobias
--
"Over vidden flyger renen;
efter den i vind og vÊde! -
Bedre det, end bryde stenen
op af fattig jord dernede!"
Loading...