On Thu, Jun 11, 2020 at 02:36:53PM +0000, Leclerc, Sebastien wrote:
> > I seems I got it wrong before. Even when there was ESP traffic, iked is
> > going
> > to start DPD when there hasn't been any incoming IKE message in the last
> > 5 minutes.
> >
> > My advice would be to just disable DPD in iked for this specific case.
> > To do this you will have to patch it and build it from the sources.
> > Below is a diff that should do the trick.
> >
> > Index: ikev2.c
> > ===================================================================
> > RCS file: /cvs/src/sbin/iked/ikev2.c,v
> > retrieving revision 1.231
> > diff -u -p -r1.231 ikev2.c
> > --- ikev2.c 9 Jun 2020 21:53:26 -0000 1.231
> > +++ ikev2.c 10 Jun 2020 11:02:39 -0000
> > @@ -4391,7 +4391,7 @@ ikev2_ike_sa_alive(struct iked *env, voi
> > * SA, or if we haven't received an IKE message. but only if we
> > * are not already waiting for an answer.
> > */
> > - if (((!foundin && foundout) || ikeidle) &&
> > + if ((!foundin && foundout) &&
> > (sa->sa_stateflags & (IKED_REQ_CHILDSA|IKED_REQ_INF)) == 0) {
> > log_debug("%s: sending alive check", __func__);
> > ikev2_send_ike_e(env, sa, NULL, IKEV2_PAYLOAD_NONE,
>
> Thank you very much, the patch did the trick. No reconnection since yesterday.
> As it is in production, this system is following syspatches only. If there
> ever is a syspatch on iked for another problem, I assume I would have to
> reapply this patch, right?
>
Correct. In that case you would do a cvs update to get the errata patch
and then reapply this diff.
