Discussion:
[strongSwan] Common value for DPD timeout
Youngsang Shin
2009-02-25 21:26:50 UTC
Permalink
Hi all,

Which value is usually set for DPD timeout in a real IKEv2 setup? If
DPD is not used, any other keepalive timeout value?

It seems that strongSwan's default value for DPDtimeout is 120
seconds. This value is commonly used in a real environment?


Thanks,
Youngsang
Andreas Steffen
2009-02-26 17:04:02 UTC
Permalink
Hi Youngsang,

since IKEv2 uses INFORMATIONAL requests for DPD the regular
retransmission scheme for IKEv2 messages with 5 trials applies:

See the following sample scenario with dpddelay = 10 seconds:

http://www.strongswan.org/uml/testresults42/ikev2/dpd-clear/

Jan 21 01:55:15 moon charon:
11[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500]

# DPD message sent after dpddelay = 10s:
Jan 21 01:55:25 moon charon:
12[IKE] sending DPD request
Jan 21 01:55:25 moon charon:
12[ENC] generating INFORMATIONAL request 0 [ ]
Jan 21 01:55:25 moon charon:
12[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500]

# First retransmission after 4 seconds:
Jan 21 01:55:29 moon charon:
13[IKE] retransmit 1 of request with message ID 0
Jan 21 01:55:29 moon charon:
13[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500]

# Second retransmission after another 7 seconds:
Jan 21 01:55:36 moon charon:
15[IKE] retransmit 2 of request with message ID 0
Jan 21 01:55:36 moon charon:
15[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500]

# Third retransmission after another 13 seconds:
Jan 21 01:55:49 moon charon:
03[IKE] retransmit 3 of request with message ID 0
Jan 21 01:55:49 moon charon:
03[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500]

# Fourth retransmission after another 24 seconds:
Jan 21 01:56:13 moon charon:
11[IKE] retransmit 4 of request with message ID 0
Jan 21 01:56:13 moon charon:
11[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500]

# Fifth retransmission after another 42 seconds:
Jan 21 01:56:55 moon charon:
16[IKE] retransmit 5 of request with message ID 0
Jan 21 01:56:55 moon charon:
16[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.100[4500]

# No answer - peer is declared dead after 2 minutes and 45 seconds:
Jan 21 01:58:10 moon charon: 15[IKE] giving up after 5 retransmits

This behaviour is hard-coded and cannot be changed.

Best regards

Andreas
Post by Youngsang Shin
Hi all,
Which value is usually set for DPD timeout in a real IKEv2 setup? If
DPD is not used, any other keepalive timeout value?
It seems that strongSwan's default value for DPDtimeout is 120
seconds. This value is commonly used in a real environment?
Thanks,
Youngsang
======================================================================
Andreas Steffen andreas.steffen-***@public.gmane.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
Loading...