Configure Dead Peer Detection (Dpd) - Digi TransPort WR11 User Manual

Configuring Virtual Private Networking (VPN)

Configure Dead Peer Detection (DPD)

When Dead Peer Detection (DPD) is enabled on an IPsec tunnel, the router will send an IKE DPD
request at regular intervals. If no response is received to the DPD request, the IPsec tunnel is
considered as suspect and the requests are sent at a shorter interval until either the maximum
number of outstanding requests allowed is reached or a response is received. If no response is
received to the configured maximum requests, the IPSec tunnels are closed.
Note IKE DPD requests require that an IKE SA is present. If one is not present, the DPD request will
fail.
To help ensure that an IKE SA exists with a lifetime at least as great as the IPsec lifetime, the router
creates new IKE SAs whenever the IPsec SA lifetime exceeds the lifetime of an existing IKE SA and
attempts to negotiate a lifetime for the IKE SA that is 60 seconds longer than the desired lifetime of
the IPsec SA.
É
Web
1. Go to Configuration > Network > Virtual Private Networking (VPN) > IPsec > Dead Peer
Detection (DPD).
2. Configure Dead Peer Detection parameters:
Mark the IPsec tunnel as suspect if there is no traffic for n seconds
The period of time of inactivity on a tunnel before it is deemed to be suspect, such as if there is
no activity on a healthy link for the time period defined, then the tunnel is them deemed to be
suspect.
Send a DPD request on a healthy link every n seconds
The interval at which DPD requests are sent on an IPsec tunnel that is deemed to be healthy. A
healthy link is one with traffic.
Send a DPD request on a suspect link every n seconds
The interval at which DPD requests are sent on an IPsec tunnel that is deemed to be suspect. A
suspect link is one where there has been no traffic for a specified period of time.
Digi TransPort® Routers User Guide
Configure Internet Protocol security (IPsec)
498