Table of Contents
Advertisement
DPD and IPSec Tunnel Failover
Copyright © 2010, Juniper Networks, Inc.
IPSec Maximums Supported
See JunosE Release Notes, Appendix A, System Maximums corresponding to your software
release for information about maximum values.
Dead peer detection (DPD) is a keepalive mechanism that enables the E Series router
to detect when the connection between the router and a remote IPSec peer has been
lost. DPD enables the router to reclaim resources and to optionally redirect traffic to an
alternate failover destination. If DPD is not enabled, the traffic continues to be sent to
the unavailable destination.
When a disconnected state is detected between the E Series router and an IPSec peer,
the router:
Tears down the IPSec connection and displays the interface's state as down in output
for the show ipsec tunnel detail command
Clears all SAs that were established between the two endpoints
Stops forwarding packets to the unavailable destination
Generates SNMP traps
Allows routing protocols running on the IP interfaces on top of the failed IPSec tunnel
to switch to alternate paths
(Optional) Redirects traffic to an alternate tunnel destination
Unlike other keepalive and heartbeat schemes, which require that peers frequently
exchange Hello packets with each other at regular predetermined intervals, DPD uses
two techniques to verify connectivity on an as-needed basis. In the first method, the
router sends DPD inquiries to the remote peer when traffic has been sent to the peer in
the last 30 seconds but no traffic has been received from the peer in the last 60 seconds.
In the second method, DPD uses an idle timer. If there has been no traffic between the
router and the peer for 2.5 minutes, DPD sends an inquiry to the remote end to verify that
the peer is still reachable.
NOTE: Not all IPSec connections need to verify connectivity between peers. For example,
the ERX router does not use DPD to check secure remote access connections based on
L2TP over IPSec, which have their own keepalive mechanism. However, the router does
reply to a request from a remote peer in this type of connection.
Tunnel Failover
The ERX router provides a failover mechanism for IPSec tunnels that works in concert
with both DPD and with IKE SA negotiation. The tunnel failover feature provides an
alternate tunnel destination when DPD detects that the current destination is unreachable
or when IKE SA set up is unsuccessful. During failover, the IPSec tunnel switches to the
alternate destination and establishes IPSec SAs with the new peer. To configure tunnel
failover, you specify the tunnel destination backup endpoint.
Chapter 5: Configuring IPSec
133
Advertisement
Table of Contents
