Ike Dead Peer Detection; Pmtu Support For Ipsec Tunnels; Disabling The Ipsec Anti-Replay Service - Avaya 1000 Series Configuration Manual

IKE Dead Peer Detection

IKE Dead Peer Detection (DPD) is a traffic-based method of detecting dead IKE peers. It
utilizes on-demand IPSec traffic patterns to minimize the number of IKE messages sent to
confirm activity. The purpose of DPD is to detect whether a peer is still alive. In the event a
peer has died, the system can regain valuable resources, thereby improving network
performance and availability. Secure Router supports On-demand DPD only.
For the best DPD performance, configure the crypto keepalive according to the sense of
urgency. DPD occurs when a peer has not acknowledged its presence within (transmit-
interval +3 * retry-interval) seconds. For faster DPD, set the transmit-interval and retry-
interval to smaller values.
Example
Configuring IKE Dead Peer Detection
SR/config/crypto> keepalive enable
SR/config/crypto> keepalive transmit-interval 30
SR/config/crypto> keepalive retry-interval 10
Example
Displaying Dead Peer Detection status
SR/show/crypto> keepalive

PMTU Support for IPSec tunnels

PMTU is a configurable option. If enabled and fragmentation is required and DF bit s set, it
sends an ICMP error to the packet originator. The DF bit from the inner IP header is copied to
the outer IP header; this allows intermediate routers to fragment or not depending on the value
of the DF bit. IP fragmentation is supported for IP packets that exceed the MTU after insertion of
GRE/IPIP header. IP fragmentation if applicable is based on the MTU of the outbound physical
interface.

Disabling the IPSec Anti-replay service

The ability to disable the anti-replay service is useful when using Diff-serv marking on a IPSec
tunnel where you want to support voice traffic at a higher priority then data traffic. As the voice
Avaya Secure Router 1000 Series Configuration Guide
IKE Dead Peer Detection
December 2010 165