IPSec Gateway - why is no DPD option for IKEv2 available?

USG_User
USG_User Posts: 369  Master Member
First Anniversary 10 Comments Friend Collector First Answer
The IPSec VPN Gateway Settings offer, for Phase 1 of IKEv1 (advanced settings) a "Dead Peer Detection" (DPD).

In contrast, IKEv2 doesn't offer such a detection. Why not?
Also for IKEv2 the USG is able to recognize a dead peer and is showing its state in the VPN Connection table with a colored or greyed connection symbol, depending on a established or terminated VPN tunnel.

Presently we're regularly encountering problems with a terminated IPSec IKEv2 Site-to-Site VPN connection, where we have to manually re-connected every time. Unfortunately we are not able to ping the VPN Gateway at the opposite side to establish a Connectivity Check as offered by VPN Connection Settings.

A simple DPD, also for IKEv2, would be very helpful. Are there any reasons why this is not offered?

All Replies

  • zyman2008
    zyman2008 Posts: 197  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    In IKEv2 RFC, another behavior like IKEv1 DPD in mandatory.
    https://datatracker.ietf.org/doc/html/rfc5996
    If no
       cryptographically protected messages have been received on an IKE SA
       or any of its Child SAs recently, the system needs to perform a
       liveness check in order to prevent sending messages to a dead peer.
       (This is sometimes called "dead peer detection" or "DPD", although it
    
    
    
    Kaufman, et al.              Standards Track                   [Page 27]

    
    RFC 5996                        IKEv2bis                  September 2010
    
    
       is really detecting live peers, not dead ones.)

    That's mean it's always on.
  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Thanks Zyman2008. Interesting link.
    For my understanding it means that DPD functionality is for detecting live peers, not dead peers, to finally avoid sending of encrypted transmission into "black holes". But DPD is not intended for automatic re-connection attempts in case of a disconnected VPN tunnel, isn't it?
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,426  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    IKEv2 DPD is always on, and it is mainly for detecting live peers. 
    Assume device got no response from peer, the peer is declared to be dead, and the SA deleted. 
    Gateway will try to send IKEv2 request to re-initialize VPN connection.
    In the USG you can see that,
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    DPD: The remote address of [WIZ_VPN:WIZ_VPN] has been no response.
    Peer not reachable
    IKE SA [WIZ_VPN] is disconnected
    Tunnel[WIZ_VPN:WIZ_VPN] Send IKEv2 request
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Since we've arranged an IPSec connectivity check where a host within the opposite VPN subnet will be pinged regularly, the tunnel remains alive and the SA lease time seems to be renewed automatically.

    It seems an ICMP ping creates the necessary traffic for detecting live peers by DPD, also in case no other traffic will be currently led through the tunnel.

    On the other hand, is it normal that a S-to-S tunnel will be terminated as soon as no traffic passing the tunnel and the SA lease time is expired?
  • train_wreck
    train_wreck Posts: 5
    First Anniversary Friend Collector First Comment
    edited September 2022
    I realize it's over a year later, but I found this post while looking for info on changing IKEv2 settings.

    There are more settings available in the CLI. After configure terminal, go to "ikev2 policy <nameofpolicy>". You can configure the DPD interval from 15 to 60 seconds. You can disable by doing "no dpd". As the Zyxel rep said it is always on. And to keep the IPsec tunnel up at all times make sure to enable the "Nailed Up" option on the tunnel.

Security Highlight