IPSec Gateway - why is no DPD option for IKEv2 available?

USG_User
USG_User Posts: 238  Master Member
The IPSec VPN Gateway Settings offer, for Phase 1 of IKEv1 (advanced settings) a "Dead Peer Detection" (DPD).

In contrast, IKEv2 doesn't offer such a detection. Why not?
Also for IKEv2 the USG is able to recognize a dead peer and is showing its state in the VPN Connection table with a colored or greyed connection symbol, depending on a established or terminated VPN tunnel.

Presently we're regularly encountering problems with a terminated IPSec IKEv2 Site-to-Site VPN connection, where we have to manually re-connected every time. Unfortunately we are not able to ping the VPN Gateway at the opposite side to establish a Connectivity Check as offered by VPN Connection Settings.

A simple DPD, also for IKEv2, would be very helpful. Are there any reasons why this is not offered?

All Replies

  • zyman2008
    zyman2008 Posts: 122  Ally Member
    In IKEv2 RFC, another behavior like IKEv1 DPD in mandatory.
    https://datatracker.ietf.org/doc/html/rfc5996
    If no
       cryptographically protected messages have been received on an IKE SA
       or any of its Child SAs recently, the system needs to perform a
       liveness check in order to prevent sending messages to a dead peer.
       (This is sometimes called "dead peer detection" or "DPD", although it
    
    
    
    Kaufman, et al.              Standards Track                   [Page 27]

    
    RFC 5996                        IKEv2bis                  September 2010
    
    
       is really detecting live peers, not dead ones.)

    That's mean it's always on.
  • USG_User
    USG_User Posts: 238  Master Member
    Thanks Zyman2008. Interesting link.
    For my understanding it means that DPD functionality is for detecting live peers, not dead peers, to finally avoid sending of encrypted transmission into "black holes". But DPD is not intended for automatic re-connection attempts in case of a disconnected VPN tunnel, isn't it?
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 814  Zyxel Employee
    IKEv2 DPD is always on, and it is mainly for detecting live peers. 
    Assume device got no response from peer, the peer is declared to be dead, and the SA deleted. 
    Gateway will try to send IKEv2 request to re-initialize VPN connection.
    In the USG you can see that,
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    DPD: The remote address of [WIZ_VPN:WIZ_VPN] has been no response.
    Peer not reachable
    IKE SA [WIZ_VPN] is disconnected
    Tunnel[WIZ_VPN:WIZ_VPN] Send IKEv2 request
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • USG_User
    USG_User Posts: 238  Master Member
    Since we've arranged an IPSec connectivity check where a host within the opposite VPN subnet will be pinged regularly, the tunnel remains alive and the SA lease time seems to be renewed automatically.

    It seems an ICMP ping creates the necessary traffic for detecting live peers by DPD, also in case no other traffic will be currently led through the tunnel.

    On the other hand, is it normal that a S-to-S tunnel will be terminated as soon as no traffic passing the tunnel and the SA lease time is expired?

Security Highlight