< Home

(Optional) Configuring DPD

Context

In IPSec communication, heartbeat detection technology detects faults at the remote end and prevents packet loss. However, periodically sending heartbeat messages consumes CPU resources at both ends and limits the number of established IPSec sessions.

Dead Peer Detection (DPD) technology sends DPD packets based on IPSec packets between IKE peers, and does not periodically send heartbeat packets. When the local end can receive IPSec traffic from the remote end, the local end considers the remote end as active. The local end sends DPD packets to detect the status of the remote end when the local end does not receive IPSec traffic from the remote end within a given period of time. If the local end does not receive response packets after sending DPD packets several times, the local end considers the remote end as unreachable and deletes the IKE SA or IPSec SA between IKE peers.

If heartbeat detection is used, the two ends periodically send heartbeat packets and settings at the two ends must match. If DPD is used, settings except the payload sequence in DPD packets at the two ends do not need to match. When IPSec packets are exchanged between IKE peers, DPD packets are not sent. DPD packets are sent only when one end does not receive IPSec packets from the other end in a period of time. This saves resources.

When both heartbeat detection and DPD are used, DPD takes effect.

The detection mode and DPD are configured based on the dpd type or ike dpd type command. Two DPD modes are available:

  • On-demand DPD

    When the local end needs to send IPSec packets to the remote end, the local end determines that the DPD idle time is reached and sends a DPD request packet to the remote end.

  • Periodic DPD

    If the local end does not receive IPSec packets or a DPD request packet from the remote end after the DPD idle time expires, it periodically sends a DPD request packet to the remote end.

If the local end does not receive a DPD response packet from the remote end within the DPD packet retransmission interval, the local end retransmits the DPD request packet. If the local end still does not receive a DPD response packet after the DPD packet retransmission count is reached, the local end considers that the remote end goes offline, and deletes the IKE SA and IPSec SA.

DPD parameters can be configured globally or on an IKE peer. DPD parameters configured on an IKE peer take precedence over those configured globally. When DPD parameters are not configured on an IKE peer, the global DPD parameter settings take effect.

Procedure

  • Configure DPD globally.
    1. Run system-view

      The system view is displayed.

    2. (Optional) Run ike dpd msg { seq-hash-notify | seq-notify-hash }

      The sequence of the payload in DPD packets is configured.

      By default, the sequence of the payload in DPD packets is seq-hash-notify.

      The two ends must use the same sequence of the payload in DPD packets; otherwise, DPD does not take effect.

    3. Run ike dpd type { on-demand | periodic }

      The DPD mode is configured.

      By default, the DPD type is not set globally and the DPD function is disabled.

      After the DPD type is set, the DPD function is enabled.

    4. Run ike dpd { idle-time interval | retransmit-interval interval | retry-limit times }

      The DPD idle time, DPD packet retransmission interval, and maximum number of DPD packet retransmissions are set.

      By default, the DPD idle time is 30s, the DPD packet retransmission interval is 15s, and the maximum number of DPD packet retransmissions is 3.

    5. (Optional) Run ike dpd packet receive if-related enable

      The function that checks whether the interface that receives DPD packets is the interface that establishes an IPSec SA is enabled.

      By default, the function that checks whether the interface that receives DPD packets is the interface that establishes an IPSec SA is disabled.

      When IPSec policies with different names and the same parameters have been applied to multiple interfaces of the device and post-IPSec check has been enabled, the device discards encrypted traffic if the interface that receives encrypted traffic is not the interface that establishes an IPSec SA during an interface switchover. However, the DPD detection result of IKE peers is still normal, resulting in a failure to trigger IKE re-negotiation. As a result, services are interrupted for a long period of time. You need to run the ike dpd packet receive if-related enable command to enable the function that checks whether the interface that receives DPD packets is the interface that establishes an IPSec SA. If the two interfaces are different, DPD packets are discarded and the DPD detection result becomes abnormal. This causes the IPSec SA to be deleted and triggers IKE re-negotiation.

      This function applies only to the scenario where IPSec policies have been applied to physical interfaces.

  • Configure DPD on an IKE peer.
    1. Run system-view

      The system view is displayed.

    2. Run ike peer peer-name

      The IKE peer view is displayed.

    3. (Optional) Run dpd msg { seq-hash-notify | seq-notify-hash }

      The sequence of the payload in DPD packets is configured.

      By default, the sequence of the payload in DPD packets is seq-hash-notify.

      The two ends must use the same sequence of the payload in DPD packets; otherwise, DPD does not take effect.

    4. (Optional) Run dpd msg notify-hash-sequence learning

      Automatic learning of the payload sequence of DPD packets is enabled.

      By default, automatic learning of the payload sequence of DPD packets is enabled.

      After this command is configured, when the local end receives a DPD packet from the remote end, the local end learns the payload sequence of the DPD packet and sends a DPD packet in the same payload sequence.

    5. Run dpd { idle-time interval | retransmit-interval interval | retry-limit times }

      The DPD idle time, DPD packet retransmission interval, and maximum number of DPD packet retransmissions are set.

      By default, the DPD idle time is 30s, the DPD packet retransmission interval is 15s, and the maximum number of DPD packet retransmissions is 3.

    6. Run dpd type { on-demand | periodic }

      The on-demand or periodic DPD mode is configured.

      By default, the DPD mode is not configured on an IKE peer.

    7. (Optional) Run dpd packet receive if-related enable

      The function that checks whether the interface that receives DPD packets is the interface that establishes an IPSec SA is enabled.

      By default, the function that checks whether the interface that receives DPD packets is the interface that establishes an IPSec SA is disabled.

      When IPSec policies with different names and the same parameters have been applied to multiple interfaces of the device and post-IPSec check has been enabled, the device discards encrypted traffic if the interface that receives encrypted traffic is not the interface that establishes an IPSec SA during an interface switchover. However, the DPD detection result of IKE peers is still normal, resulting in a failure to trigger IKE re-negotiation. As a result, services are interrupted for a long period of time. You need to run the dpd packet receive if-related enable command to enable the function that checks whether the interface that receives DPD packets is the interface that establishes an IPSec SA. If the two interfaces are different, DPD packets are discarded and the DPD detection result becomes abnormal. This causes the IPSec SA to be deleted and triggers IKE re-negotiation.

      This function applies only to the scenario where IPSec policies have been applied to physical interfaces.

Parent Topic: (Optional) Configuring IKE Peer Status Detection
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic