What is the difference between Hold and Restart of DPD action in strongswan IPsec?

Question

Question

When I tested IPsec DPD on Router, I found that both Hold and Restart reestablished VPN connection after dpdtimeout, so I didn't understand the difference between them

I found the relevant explanation in strongswan's document, but I couldn't understand the real difference

strongswan Doc - Hold

Hold installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand.

strongswan Doc - Restart

Restart will immediately trigger an attempt to re-negotiate the connection.

strongswan - DPD timeout

dpdtimeout = 150s

defines the timeout interval, after which all connections to a peer are deleted in case of inactivity. This only applies to IKEv1, in IKEv2 the default retransmission timeout applies, as every exchange is used to detect dead peers.

Thank

https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection — TommyTW_Lu, Jan 07 '21 at 17:21

score 1 · Accepted Answer · answered Jan 05 '22 at 15:23

1

Exactly as the documentation states: "restart" forces the renegotiation immediately, while "hold" waits for a specific traffic before doing so.

answered Jan 05 '22 at 15:23

Smirk

51
3

What is the difference between Hold and Restart of DPD action in strongswan IPsec?

1 Answers1