I am trying to change the “isakmp-nat-keep-alive” interval for a VPN connection, but have not been able to do so via the server-side configuration. I measured the keep alive interval to be 20s from a variety of the different clients. Below is an excerpt from a network capture using tcpdump, where 101 is the client and 224 is the server.
23:09:49.712565 IP XX.XX.X.101.41650 > XXX.XXX.X.224.4500: isakmp-nat-keep-alive
23:10:09.713745 IP XX.XX.X.101.41650 > XXX.XXX.X.224.4500: isakmp-nat-keep-alive
23:10:29.712072 IP XX.XX.X.101.41650 > XXX.XXX.X.224.4500: isakmp-nat-keep-alive
I have tried modifying strongswan.conf and changing the “keep_alive” value in charon on the VPN server. Below is an excerpt from my strongswan.conf file.
install_routes = no
keep_alive = 60
This has not caused the clients to change their keep-alive interval at all. Is this expected, or can the server control the keep-alive interval for a client? The version of strongSwan we are using is 5.0.0 on a Ubuntu 12.04.1 LTS server.
Thank you for your help.
#1 Updated by Martin Willi over 6 years ago
- Status changed from New to Closed
- Resolution set to Invalid
can the server control the keep-alive interval for a client?
No. NAT keep-alives are not negotiated, therefore you can't change the behavior of the client with a server setting. If your client has such a configuration option, you'll have to change it there.