Configuring IKE DPD

DPD detects dead peers. It can operate in periodic mode or on-demand mode.

The IKE DPD works as follows:

  1. The local device sends a DPD message to the peer, and waits for a response from the peer.

  2. If the peer does not respond within the retry interval specified by the retry seconds parameter, the local device resends the message.

  3. If still no response is received within the retry interval, the local end sends the DPD message again. The system allows a maximum of two retries.

  4. If the local device receives no response after two retries, the device considers the peer to be dead, and deletes the IKE SA along with the IPsec SAs it negotiated.

  5. If the local device receives a response from the peer during the detection process, the peer is considered alive. The local device performs a DPD detection again when the triggering interval is reached or it has traffic to send, depending on the DPD mode.

Follow these guidelines when you configure the IKE DPD feature:

To configure IKE DPD:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enable sending IKE DPD messages.

ike dpd interval interval [ retry seconds ] { on-demand | periodic }

By default, IKE DPD is disabled.