Fortinet Community

ssriswadpong · ‎08-07-2023

Description

This article describes when the IPsec tunnel will be brought down if DPD is disabled in phase1.

Scope

FortiGate.

Solution

The tunnel will be brought down when the keylife expires. Check the keylife with the following command:

diagnose vpn tunnel list

For example:

name=DisabledDPD ver=1 serial=8 10.47.1.188:0->10.47.4.65:0 tun_id=10.47.4.65 tun_id6=::10.47.4.65 dst_mtu=1500 dp
d-link=on weight=1
bound_if=3 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=primary
accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=4 ilast=43980886 olast=43980886 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=off on=0 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=DisabledDPD proto=0 sa=1 ref=2 serial=1
src: 0:10.207.0.0-10.207.15.255:0
dst: 0:192.168.17.0-192.168.17.255:0
SA: ref=3 options=30202 type=00 soft=0 mtu=1438 expire=42177/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42898/43200
dec: spi=f099b8fc esp=aes key=16 e5ee72022a73fcd4a5c6493373dbbe6f
ah=sha1 key=20 bfefaefc8f53443b29cc3aa123f22dcf21c74fc1
enc: spi=f5bfe1e9 esp=aes key=16 ad911f2396c9303afd5b4846d7a4ebd4
ah=sha1 key=20 d3a7cf3ae3499d9183181dc72237da08f9a82c84
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=10.47.4.65 npu_lgwy=10.47.1.188 npu_selid=3 dec_npuid=0 enc_npuid=0
run_tally=0

Fortinet Community

Technical Tip: Explaining when the IPsec tunnel will be brought down when DPD is disabled and the remote gateway is unreachable