Question
When I tested IPsec DPD on Router, I found that both Hold and Restart reestablished VPN connection after dpdtimeout, so I didn't understand the difference between them
I found the relevant explanation in strongswan's document, but I couldn't understand the real difference
strongswan Doc - Hold
Hold installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand.
strongswan Doc - Restart
Restart will immediately trigger an attempt to re-negotiate the connection.
strongswan - DPD timeout
dpdtimeout = 150s
defines the timeout interval, after which all connections to a peer are deleted in case of inactivity. This only applies to IKEv1, in IKEv2 the default retransmission timeout applies, as every exchange is used to detect dead peers.
Thank
Exactly as the documentation states: "restart" forces the renegotiation immediately, while "hold" waits for a specific traffic before doing so.