IPSec Gateway - why is no DPD option for IKEv2 available?
Master Member
The IPSec VPN Gateway Settings offer, for Phase 1 of IKEv1 (advanced settings) a "Dead Peer Detection" (DPD).
In contrast, IKEv2 doesn't offer such a detection. Why not?
Also for IKEv2 the USG is able to recognize a dead peer and is showing its state in the VPN Connection table with a colored or greyed connection symbol, depending on a established or terminated VPN tunnel.
Presently we're regularly encountering problems with a terminated IPSec IKEv2 Site-to-Site VPN connection, where we have to manually re-connected every time. Unfortunately we are not able to ping the VPN Gateway at the opposite side to establish a Connectivity Check as offered by VPN Connection Settings.
A simple DPD, also for IKEv2, would be very helpful. Are there any reasons why this is not offered?
0
All Replies
-
In IKEv2 RFC, another behavior like IKEv1 DPD in mandatory.
https://datatracker.ietf.org/doc/html/rfc5996If no cryptographically protected messages have been received on an IKE SA or any of its Child SAs recently, the system needs to perform a liveness check in order to prevent sending messages to a dead peer. (This is sometimes called "dead peer detection" or "DPD", although it Kaufman, et al. Standards Track [Page 27]
RFC 5996 IKEv2bis September 2010 is really detecting live peers, not dead ones.)
That's mean it's always on.
0 -
Thanks Zyman2008. Interesting link.For my understanding it means that DPD functionality is for detecting live peers, not dead peers, to finally avoid sending of encrypted transmission into "black holes". But DPD is not intended for automatic re-connection attempts in case of a disconnected VPN tunnel, isn't it?0
-
Hi @USG_User,IKEv2 DPD is always on, and it is mainly for detecting live peers.Assume device got no response from peer, the peer is declared to be dead, and the SA deleted.Gateway will try to send IKEv2 request to re-initialize VPN connection.In the USG you can see that,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~DPD: The remote address of [WIZ_VPN:WIZ_VPN] has been no response.Peer not reachableIKE SA [WIZ_VPN] is disconnectedTunnel[WIZ_VPN:WIZ_VPN] Send IKEv2 request~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~0
-
Since we've arranged an IPSec connectivity check where a host within the opposite VPN subnet will be pinged regularly, the tunnel remains alive and the SA lease time seems to be renewed automatically.It seems an ICMP ping creates the necessary traffic for detecting live peers by DPD, also in case no other traffic will be currently led through the tunnel.On the other hand, is it normal that a S-to-S tunnel will be terminated as soon as no traffic passing the tunnel and the SA lease time is expired?0
-
I realize it's over a year later, but I found this post while looking for info on changing IKEv2 settings.There are more settings available in the CLI. After configure terminal, go to "ikev2 policy <nameofpolicy>". You can configure the DPD interval from 15 to 60 seconds. You can disable by doing "no dpd". As the Zyxel rep said it is always on. And to keep the IPsec tunnel up at all times make sure to enable the "Nailed Up" option on the tunnel.1
Zyxel Employee
Freshman Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 152 Nebula Ideas
- 100 Nebula Status and Incidents
- 5.8K Security
- 286 USG FLEX H Series
- 278 Security Ideas
- 1.5K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.5K Consumer Product
- 251 Service & License
- 396 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 86 About Community
- 75 Security Highlight
