[Swan] Problem with subnet-to-subnet setup behind NAT'ed networks
Paul Wouters
paul at nohats.ca
Thu Feb 18 17:27:51 UTC 2016
On Fri, 12 Feb 2016, Jacob Vind wrote:
> Great, thanks. Yes that seems to do it, I added this 20 hours ago and the
> link has been working since then, I can see from the logs that it has
> restarted it a few times.
>
> I wonder why it is not mentioned in the setup examples on libreswan.org, but
> maybe it is mostly an issue if you are behind double nat setup like we are.
DPD was an addon for IKEv1. It is in the core IKEv2 spec.
Perhaps we can enable it per default now in IKEv2 but we would have to
come up with some reasonable sane values.
There is also the risk of causing failures. On a link congested with
non-ipsec traffic, an idle ipsec tunnel could end up in the cross fire
and have their DPD packet dropped, causing it to need to reconnect (on
an already congested link). This could lead to more failure.
Paul
More information about the Swan
mailing list