ipsecstrongswandpd

What is the difference between Hold and Restart of DPD action in strongswan IPsec?


Question

When I tested IPsec DPD on Router, I found that both Hold and Restart reestablished VPN connection after dpdtimeout, so I didn't understand the difference between them

I found the relevant explanation in strongswan's document, but I couldn't understand the real difference

strongswan Doc - Hold

Hold installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand.

strongswan Doc - Restart

Restart will immediately trigger an attempt to re-negotiate the connection.

strongswan - DPD timeout

dpdtimeout = 150s

defines the timeout interval, after which all connections to a peer are deleted in case of inactivity. This only applies to IKEv1, in IKEv2 the default retransmission timeout applies, as every exchange is used to detect dead peers.

Thank


Solution

  • Exactly as the documentation states: "restart" forces the renegotiation immediately, while "hold" waits for a specific traffic before doing so.