JUNOSe 11.0.x IP Services Configuration Guide
Unlike other keepalive and heartbeat schemes, which require that peers frequently
exchange Hello packets with each other at regular predetermined intervals, DPD
uses two techniques to verify connectivity on an as-needed basis. In the first method,
the router sends DPD inquiries to the remote peer when traffic has been sent to the
peer in the last 30 seconds but no traffic has been received from the peer in the last
60 seconds. In the second method, DPD uses an idle timer. If there has been no
traffic between the router and the peer for 2.5 minutes, DPD sends an inquiry to the
remote end to verify that the peer is still reachable.
NOTE: Not all IPSec connections need to verify connectivity between peers. For
example, the ERX router does not use DPD to check secure remote access connections
based on L2TP over IPSec, which have their own keepalive mechanism. However,
the router does reply to a request from a remote peer in this type of connection.
Tunnel Failover
The ERX router provides a failover mechanism for IPSec tunnels that works in concert
with both DPD and with IKE SA negotiation. The tunnel failover feature provides an
alternate tunnel destination when DPD detects that the current destination is
unreachable or when IKE SA set up is unsuccessful. During failover, the IPSec tunnel
switches to the alternate destination and establishes IPSec SAs with the new peer.
To configure tunnel failover, you specify the tunnel destination backup endpoint.
Tunnel failover is a two-way process. If the router detects that the remote peer is
unreachable, it switches to sending traffic to the backup destination. Likewise, if the
router is sending traffic to the backup destination when the connection is terminated,
the router switches to sending the traffic to the original remote peer.
NOTE: Even without tunnel failover configured, DPD still provides many benefits,
such as indicating that the destination interface is down, ensuring that the router
stops sending packets to the unreachable destination, and generating SNMP traps.
IKE Overview
The IKE suite of protocols allows a pair of security gateways to:
IKE is based on the Oakley and Skeme key determination protocols and the ISAKMP
framework for key exchange and security association establishment. IKE provides:
140
IKE Overview
Dynamically establish a secure tunnel over which the security gateways can
exchange tunnel and key information.
Set up user-level tunnels or SAs, including tunnel attribute negotiations and key
management. These tunnels can also be refreshed and terminated on top of the
same secure channel.
Automatic key refreshing on configurable timeout
Support for public key infrastructure (PKI) authentication systems