IP connectivity between the peers may be lost due to routing problems or peer reloading. The IKE protocol has no peer detection function. If an IKE peer is unreachable, no measure can be taken other than waiting for the expiration of the SA lifetime. The SA remains until its lifetime expires. Unreachable SA peers can result in a black hole, resulting in data dropping. Generally, you need to identify and detect the black hole to restore IPsec communications.
The keepalive mechanism can address the preceding issue. According to the keepalive mechanism, IKE peers periodically exchange the Hello or ACK messages to inform the peers that they are active. However, if the number of IKE SAs is large, the Hello or ACK messages consume a large amount of CPU resources. In such circumstances, the keepalive mechanism is limited.
The Dead Peer Detect (DPD) mechanism is an alternative mechanism of keepalive. The DPD minimizes the number of messages used to detect the peer state by means of IPsec traffic. The DPD requires that the IKE peer state and the peer end state must be completely independent. When an IKE peer needs to learn whether the peer end is online, the IKE peer can send the request at any time instead of at the specified time interval. When normal IPsec traffic is transmitted between peers, the peer end is online. Therefore, it is unnecessary to send an extra detection message to detect whether the peer end is online. If no IPsec traffic is transmitted within a period of time, the local end can send a DPD message to detect the state of the peer end.
DPD provides two mode parameters: interval and on-demand.
interval indicates that DPD works in polling mode. If the local end does not receive traffic from the peer end within an interval specified by check-interval, the local end sends DPD packets at the interval. If the local end receives a response packet from the peer end, the DPD process ends and a new DPD period starts. If the local end does not receive a response packet from the peer end, the local end retransmits DPD packets. If the local end still does not receive a response packet from the peer end after the retransmission is complete, the local end deletes the local SA entries and performs the tunnel establishment process again.
on-demand indicates that DPD works in triggering mode. If the local end does not send any encrypted traffic, it does not send DPD packets. If the local end sends encrypted traffic but does not receive traffic from the peer end within an interval specified by check-interval, the local end sends DPD packets at the interval. If the local end receives a response packet from the peer end, the DPD process ends and a new DPD period starts. If the local end does not receive a response packet from the peer end, the local end retransmits DPD packets. If the local end still does not receive a response packet from the peer end after the retransmission is complete, the local end deletes the local SA entries and performs the tunnel establishment process again.