D-Link NetDefendOS User Manual page 727

This setting enables logging of session keys for each new IPsec SA established. Both the
encryption key and authentication keys are logged as hexadecimal strings. Note that having
access to these keys makes it possible to decrypt captured packets offline.
Default: Disabled
Caution: Enable Key Logging for testing only
As encryption keys are highly sensitive pieces of information, this feature should be
enabled for debugging purposes only.
Dead Peer Detection Settings
DPD Metric
The amount of time in tens of seconds that the peer is considered to be alive (reachable) since
the last received IKE message. This means that no DPD messages for checking aliveness of the
peer will be sent during this time even though no packets from the peer have been received
during this time.
In other words, the amount of time in tens of seconds that a tunnel is without traffic or any other
sign of life before the peer is considered dead. If DPD is due to be triggered but other evidence of
life is seen (such as IKE packets from the other side of the tunnel) within the time frame, no
DPD-R-U-THERE messages will be sent.
For example, if the other side of the tunnel has not sent any ESP packets for a long period but at
least one IKE-packet has been seen within the last (10 x the configured value) seconds, then
NetDefendOS will not send more DPD-R-U-THERE messages to the other side.
Default: 3 (in other words, 3 x 10 = 30 seconds)
DPD Keep Time
The amount of time in tens of seconds that a peer is assumed to be dead after NetDefendOS has
detected it to be so. While the peer is considered dead, NetDefendOS will not try to re-negotiate
the tunnel or send DPD messages to the peer. However, the peer will not be considered dead
any more as soon as a packet from it is received.
A more detailed explanation for this setting is that it is the amount of time in tens of seconds that
an SA will remain in the dead cache after a delete. An SA is put in the dead cache when the other
side of the tunnel has not responded to DPD-R-U-THERE messages for DPD Expire Time x 10
seconds and there is no other evidence of life. When the SA is placed in the dead cache,
NetDefendOS will not try to re-negotiate the tunnel. If traffic that is associated with the SA that is
in the dead cache is received, the SA will be removed from the dead cache. DPD will not trigger if
the SA is already cached as dead.
This setting is used with IKEv1 only.
Default: 2 (in other words, 2 x 10 = 20 seconds)
DPD Expire Time
The length of time in seconds for which DPD messages will be sent to the peer. If the peer has
727
Chapter 9: VPN