(Optional) Configuring DPD to Detect the IKE Peer Status

In IPSec communication, heartbeat detection technology detects faults at the remote end and prevents packet loss. However, periodically sending heartbeat messages consumes CPU resources at both ends and limits the number of established IPSec sessions.

Dead Peer Detection (DPD) technology sends DPD packets based on IPSec packets between IKE peers, and does not periodically send heartbeat packets. When the local end can receive IPSec traffic from the remote end, the local end considers the remote end as active. The local end sends DPD packets to detect the status of the remote end when the local end does not receive IPSec traffic from the remote end within a given period of time. If the local end does not receive response packets after sending DPD packets several times, the local end considers the remote end as unreachable and deletes the IKE SA or IPSec SA between IKE peers.

If heartbeat detection is used, the two ends periodically send heartbeat packets and settings at the two ends must match. If DPD is used, settings except the payload sequence in DPD packets at the two ends do not need to match. When IPSec packets are exchanged between IKE peers, DPD packets are not sent. DPD packets are sent only when one end does not receive IPSec packets from the other end in a period of time. This saves resources.

When both heartbeat detection and DPD are used, DPD takes effect.

If the local end does not receive a DPD response packet from the remote end within the DPD packet retransmission interval, the local end retransmits the DPD request packet. If the local end still does not receive a DPD response packet after the DPD packet retransmission count is reached, the local end considers that the remote end goes offline, and deletes the IKE SA and IPSec SA.

Procedure

1. Run system-view

   The system view is displayed.

2. Run ipsec efficient-vpn efficient-vpn-name [ mode { client | network | network-plus } ]

   An Efficient VPN policy is created and the Efficient VPN policy view is displayed.

3. Run dpd msg { seq-hash-notify | seq-notify-hash }

   The payload sequence of DPD packets on an IKE peer is configured.

   By default, the payload sequence of DPD packets on an IKE peer is seq-notify-hash.

   The two ends must use the same sequence of the payload in DPD packets; otherwise, DPD does not take effect.

4. Run dpd msg notify-hash-sequence learning

   Automatic learning of the payload sequence of DPD packets is enabled.

   By default, automatic learning of the payload sequence of DPD packets is enabled.

   After this command is configured, when the local end receives a DPD packet from the remote end, the local end learns the payload sequence of the DPD packet and sends a DPD packet in the same payload sequence.