Table of Contents
Advertisement
Netopia Firmware Version 5.4 provides a new Dead Peer Detection mechanism. An IPsec IP net interface
sends ICMP ping requests to a specific IP address on a Remote Member network. The ping is periodic, and
the reply is expected within a certain amount of time. If the ICMP reply does not arrive within that time, the
peer is considered dead, the current phase 2 SAs are torn down, and the IKE SA starts a new phase 1
negotiation, followed by the normal phase 2 negotiation, thereafter.
When you toggle Dead Peer Detection to Yes (on), new options appear.
SA Lifetime seconds:
SA Lifetime Kbytes:
Perfect Forward Secrecy:
Dead Peer Detection:
Ping host:
Ping retry interval:
Ping reply timeout:
■
Ping host allows you to specify the host IP address of the host to ping, and from which replies will be
expected.
This field is only available if you have previously configured, and committed, remote network IP data in the
Add Network Configuration screen under Advanced IP Profile Options. See
page
5-15.
■
Ping retry interval and Ping reply timeout options appear.
The defaults are 5 seconds and 90 seconds, respectively. You may adjust these to suit your network's
tolerances.
Note:
• ICMP Dead Peer Detection is not available when using manual re-keying.
• ICMP Dead Peer Detection does not initiate a series of phase 2 exchanges upon detecting a dead peer; it
instead initiates a new phase 1 negotiation, followed by a new phase 2 negotiation once contact with the peer
has been re-established.
• If you are using Multiple Network IPsec, the IP address of the ICMP Dead Peer Detection mechanism must be
constrained to the set of network ranges defined for the IPsec profile.
Press Escape to return to the Add or Change Connection Profile screen, and select IP Profile Parameters.
Internet Key Exchange (IKE) IPsec Key Management for VPNs 5-13
Advanced IPsec Options
28800
0
Yes
Yes
1.1.1.1
5
90
"Add Network Configuration" on
Advertisement
Table of Contents
