IPSec VPN and Dead Peer Detection (DPD) in IKEv1 and Liveness check in IKEv2

cancel
Showing results for 
Search instead for 
Did you mean: 

IPSec VPN and Dead Peer Detection (DPD) in IKEv1 and Liveness check in IKEv2

L3 Networker

I have two different IPSec VPN tunnels between a PAN and two different Cisco devices, let call them R1 and R2, as folllows:

 

PAN IPSec IKEv1 <<---->> Cisco R2 IKEv1

PAN IPSec IKEv2 <<---->> Cisco R1 IKEv2

 

I enable Dead Peer Dection (DPD) in the IKE gateway between the PAN IKEv1 and Cisco R2 router.  On the Dead Peer interval and retry, i set it to 5 and 5, respectively.  On the Cisco router R2, I set "set crypto isakmp keepalive 10".  On the IKE gateway between the PAN and Cisco R1 IKEv2, I set the "liveness check" to 5.  I also set "crypto isakmp keepalive 10" on the R2 cisco router.

 

Well, on the IKEv2 VPN tunnels, I see traffics every 5 seconds between the PAN and Cisco R2 even when there is no traffic going across the tunnel which is expected.  However, I am not seeing traffics between the PAN and Cisco R1 even with DPD enable.

 

Is that expected?  If not, is this another bug in PAN?   I am running 8.1.15 hotfix 3. 

 

 

3 REPLIES 3

Cyber Elite
Cyber Elite

@dtran,

DPD on the PAN side isn't persistent and is only triggered by a phase 2 rekey; as long as phase 2 is up, the PAN won't check to see if IKE-SA is active. If you want/need to have traffic traverse from the PAN side constantly you would want to setup tunnel monitoring. 

L0 Member

@dtran wrote:

I have two different IPSec VPN tunnels between a PAN and two different Cisco devices, let call them R1 and R2, as folllows:

 

PAN IPSec IKEv1 <<---->> Cisco R2 IKEv1

PAN IPSec IKEv2 <<---->> Cisco R1 IKEv2

 

I enable Dead Peer Dection (DPD) in the IKE gateway between the PAN IKEv1 and Cisco R2 router.  On the Dead Peer interval and retry, i set it to 5 and 5, respectively.  On the Cisco router R2, I set "set crypto isakmp keepalive 10".  On the IKE gateway between the PAN and Cisco R1 IKEv2, I set the "liveness check" to 5.  I also set "crypto isakmp keepalive 10" on the R2 cisco router.

 

Well, on the IKEv2 VPN tunnels, I see traffics every 5 seconds between the PAN and Cisco R2 even when there is no traffic going across the tunnel which is expected.  However, I am not seeing traffics between the PAN and Cisco R1 even with DPD enable. Walgreens Listens

 

Is that expected?  If not, is this another bug in PAN?   I am running 8.1.15 hotfix 3. 

 

 


already facing this kind of issue. . . . 

@BPry:  "If you want/need to have traffic traverse from the PAN side constantly you would want to setup tunnel monitoring. "

 

PAN VPN Peer is 1.1.1.1 and Cisco VPN Peer is 2.2.2.2

PAN Encryption Domain is 192.168.1.1 and Cisco VPN Encryption Domain is 192.168.2.

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!