When connecting with my mobile to ocserv, I've noticed that 1 out of 5 connections using DTLS will fail due to timeout. It seems that the current timeout value (5 secs), is too short to cope with lost packets (especially when slow processors are involved). The DTLS retransmission starts from 1 sec delay and doubles on every retransmission attempt, so with 5 secs timeout and 3 lost packets in a flight (e.g., in a congested link for these 5 secs), the DTLS channel has very slim chances on being established. I've increased that value to 12 secs in faae9074980b304c0f83d2b07d085e3d8daf36fb, but I don't know whether it should be better for that to be made configurable. It is also available from: git://gitorious.org/openconnect-x/openconnect-x.git privacy-improvements regards, Nikos
