Configuring a DPD detector

Dead peer detection (DPD) irregularly detects dead IKE peers. It works as follows:

  • When the local end sends an IPsec packet, it checks the time the last IPsec packet was received from the peer.

  • If the time interval exceeds the DPD interval, it sends a DPD hello to the peer.

  • If the local end receives no DPD acknowledgement within the DPD packet retransmission interval, it retransmits the DPD hello.

  • If the local end still receives no DPD acknowledgement after having made the maximum number of retransmission attempts (two by default), it considers the peer already dead, and clears the IKE SA and the IPsec SAs based on the IKE SA.

  • DPD enables an IKE entity to check the liveliness of its peer only when necessary. It generates less traffic than the keepalive mechanism, which exchanges messages periodically.

    To configure a DPD detector:

    Step

    Command

    Remarks

    1. Enter system view.

    system-view

    N/A

    2. Create a DPD detector and enter its view.

    ike dpd dpd-name

    N/A

    3. Set the DPD interval.

    interval-time interval-time

    Optional.

    10 seconds by default.

    4. Set the DPD packet retransmission interval.

    time-out time-out

    Optional.

    5 seconds by default.