[Swan-dev] IPsec rekey fron Libreswan not initiated
Paul Wouters
paul at nohats.ca
Tue Nov 24 21:27:59 UTC 2020
On Tue, 24 Nov 2020, Balaji Thoguluva wrote:
> I am using the below configuration with an intent to do IPsec rekey initiated from Libreswan.
>
> conn radcert
> dpddelay=0s
> dpdtimeout=0s
> dpdaction=hold
don't set these to 0! That means whenever the code checks it deems your
connection is down.
timeout is time time elapsed for no responses before the tunnel is
deemed down. RFCs say it should never be less than 60s, but it is
possible to set this shorter.
delay is the time between probes, if the connection is idle. This should
also not be too short.
Remember, if your link is busy and congested, if a dpd packet gets
dropped it counts as failure towards the timeout period. If you
timeout on a working connection due to congestion, you will have
a hard time getting the connection up - it will also drop packets
for the setup of the new tunnel.
Try dpddelay=30s and dpdtimeout=60s
Paul
More information about the Swan-dev
mailing list