Dead Peer Detection

This mechanism periodically checks the status of IKE tunnels by exchanging encrypted messages. In IKEv1, this mechanism is standardized in RFC 3706. In IKEv2, this mechanism has been renamed "Liveness" and is an integral part of the protocol's application standard. On the SNS firewall, this mechanism is known as "Dead Peer Detection" (or DPD) in both IKEv1 and IKEv2.

The parameters that determine DPD decisions are:

• Testing frequency,

• Waiting time for response,

• The number of failures (no response) to tests.

If no responses to DPD tests are received, and the maximum number of failures is reached, the IKE VPN tunnel and related IPsec VPN tunnels will be closed.

There are several ways to use this mechanism in IKEv2:

• In passive mode, the SNS firewall does not monitor the status of the peer but replies if it is contacted,

• In high and low modes, the SNS firewall monitors the status of the peer and replies if it is contacted. In high mode, requests will be sent more frequently than in low mode.

R47 | SNS-SMC | Enable Dead Peer Detection
In an IPsec VPN tunnel, Dead Peer Detection should be implemented in high or low mode.

R47 ⁃ | SNS-SMC | Use passive DPD mode
If it is not known whether Dead Peer Detection is implemented on the remote endpoint, passive mode is recommended, making it possible to reply if a DPD request is received.