Introduction To Ipsec Dpd - 3Com 3C13636 Configuration Manual

3Com Router 3000 Ethernet Family
Configuration Guide
Note:
The encryption card and the IPSec module of V 2.41 adopt the same data processing
mechanism. They differ in the sense that the former implements hardware encryption
while the latter implements software encryption. In addition, the encryption card
supports fast forwarding but the IPSec module does not.

7.1.4 Introduction to IPSec DPD

IPSec dead peer detection (IPSec DPD) is a function that allows on-demand IKE peer
liveliness detection on IPSec/IKE tunnels.
The idea of DPD is that when an IKE peer receives no packets from its peer for a
specified period, a DPD query is triggered. The IKE peer sends a query to its peer
detecting the liveliness asking for proof of liveliness.
Compared with other keepalive mechanisms available with IPSec, DPD generates less
traffic, but allows more prompt detection and quicker tunnel recovery.
You may use DPD in the solution where ISAKMP SAs are established between
addresses of a router and VRRP standby group. This allows the established security
tunnel to recover automatically and quickly when failover occurs in the VRRP standby
group, preventing communication from being interrupted. DPD thus broadens the
application scope of IPSec and improves its robustness.
DPD is implemented in compliance with RFC3706 and RFC2408.
I. Concepts
1) DPD data structure
A DPD data structure, or a DPD structure, contains DPD query parameters, such as
interval-time timer and time_out timer. A DPD structure can be referenced by multiple
IKE peers. Thus, you need not to configure one DPD structure for each interface.
2) Timers
IPSec DPD uses the following two timers to control sending and receipt of DPD
packets:
Interval-time: specifies the idle interval for triggering a DPD query. If an IKE peer
receives no IPSec packet from its peer when this timer times out, DPD query is
triggered.
Time_out: specifies the time waiting for a DPD acknowledgement.
II. Operating Mechanism
The following describes how DPD operates after being enabled:
At the sender side
3Com Corporation
7-5
Chapter 7 IPSec Configuration