> I seems I got it wrong before. Even when there was ESP traffic, iked is going > to start DPD when there hasn't been any incoming IKE message in the last > 5 minutes. > > My advice would be to just disable DPD in iked for this specific case. > To do this you will have to patch it and build it from the sources. > Below is a diff that should do the trick. > > Index: ikev2.c > =================================================================== > RCS file: /cvs/src/sbin/iked/ikev2.c,v > retrieving revision 1.231 > diff -u -p -r1.231 ikev2.c > --- ikev2.c 9 Jun 2020 21:53:26 -0000 1.231 > +++ ikev2.c 10 Jun 2020 11:02:39 -0000 > @@ -4391,7 +4391,7 @@ ikev2_ike_sa_alive(struct iked *env, voi > * SA, or if we haven't received an IKE message. but only if we > * are not already waiting for an answer. > */ > - if (((!foundin && foundout) || ikeidle) && > + if ((!foundin && foundout) && > (sa->sa_stateflags & (IKED_REQ_CHILDSA|IKED_REQ_INF)) == 0) { > log_debug("%s: sending alive check", __func__); > ikev2_send_ike_e(env, sa, NULL, IKEV2_PAYLOAD_NONE,
Thank you very much, the patch did the trick. No reconnection since yesterday. As it is in production, this system is following syspatches only. If there ever is a syspatch on iked for another problem, I assume I would have to reapply this patch, right?