Dead Peer Detection

This mechanism periodically checks the status of IKE tunnels by exchanging encrypted messages. In IKEv1, this mechanism is standardized in RFC 3706. In IKEv2, this mechanism has been renamed "Liveness", and is an integral part of the protocol's application standard. On the SNS firewall, this mechanism is called "Dead-Peer-Detection" (or DPD) in both IKEv1 and IKEv2.

The parameters that determine DPD decisions are:

  • Testing frequency,

  • Waiting time for responses,

  • The number of test failures (lack of response).

If no responses are received in DPD tests, and the maximum number of failures has been reached, the IKE VPN tunnel and related IPsec VPN tunnels will be shut down.

In IKEv2, there are several ways to use this mechanism:

  • In passive mode, the SNS firewall does not monitor the status of the peer but replies if it is contacted,

  • In high and low modes, the SNS firewall monitors the status of the peer and replies if it is contacted. In high mode, requests will be sent more frequently than in low mode.

R47 | SNS-SMC | Enable Dead Peer Detection
In an IPsec VPN tunnel, Dead Peer Detection should be implemented in high or low mode.

R47 ⁃ | SNS-SMC | Use passive DPD mode
If it is not known whether Dead Peer Detection is implemented on the remote endpoint, passive mode is recommended, making it possible to reply if a DPD request is received.