From: Brian C. <B.C...@po...> - 2007-01-16 09:04:23
|
On Fri, Jan 12, 2007 at 05:36:09PM +0100, VANHULLEBUS Yvan wrote: > DPD has *NOTHING* to do with IPSec SAs. > > DPD is designed to only check that remote IKE daemon is still alive > and still have the same IsakmpSA we use to talk with it. However, it can use the fact that traffic is flowing through an IPSec SA to suppress the need for DPD checks. RFC 3706: " example, peer A might define its DPD interval to be 10 seconds. Then, if peer A sends outbound IPSec traffic, but fails to receive any inbound traffic for 10 seconds, it can initiate a DPD exchange." So I don't think it's entirely accurate to say DPD has *nothing* to do with IPSec SAs. OTOH, I don't know whether ipsec-tools' implementation makes use of inbound/outbound traffic monitoring in this way, or it just does periodic DPD. Regards, Brian. |