Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
Markus_M
Staff
Staff

Created on ‎11-07-2017 02:09 AM Edited on ‎02-23-2023 03:12 AM By Community Manager

Technical Tip: Configuring DPD (dead peer detection) on IPsec VPN

Description


This article describes how to configure DPD on IPsec VPN.

Sometimes, due to routing issues or other network issues, the communication link between a FortiGate unit and a VPN peer or client may go down.
Packets could be lost if the connection is left to time out on its own. The FortiGate unit provides a mechanism called Dead Peer Detection (DPD), sometimes referred to as gateway detection or ping server, to prevent this situation and to re-establish IKE negotiations automatically before a connection times out: the active Phase 1 security associations are caught and renegotiated (rekeyed) before the Phase 1 encryption key expires.

The commands in this article will help to configure DPD (dead peer detection) on IPsec VPN.


Solution


It is possible to configure DPD per phase1-interface as follows (default settings are shown):

 

#config vpn ipsec phase1-interface
    edit <Tunnel Name>
         set dpd [disable | on-idle | on-demand]
         set dpd-retryinterval 20
         set dpd-retrycount 3
     next
end


DPD:
Disable: Disable Dead Peer Detection.
On-idle: Trigger Dead Peer Detection when IPsec is idle.
On-demand: Trigger Dead Peer Detection when IPsec traffic is sent but no reply is received from the peer.

DPD-RETRYINTERVAL:
How long is the interval in seconds after which a DPD will be attempted again.

DPD-RETRYCOUNT:
How often will the DPD be attempted.

With the default settings, DPD will be attempted every 20 seconds, 3 times. In total after one minute without DPD responses the tunnel will be turned down.

 

On GUI:

 

akileshc_1-1677150340922.png


On a dial-up server, if a multitude of VPN connections are idle, the increased DPD exchange could negatively impact the performance/load of the ike process.
For this reason, an option is available in the CLI to send DPD passively in a mode called "on-demand".
- When there is no traffic and the last DPD-ACK had been received, IKE will not send DPDs periodically.
- IKE will only send out DPDs if there are outgoing packets to send but no inbound packets had since been received.

Crosscheck the DPD exchange with the diagnose tool on CLI:

 

#diagnose debug console timestamp enable
#diagnose debug application ike -1
#diagnose debug enable


In IKEv1, DPD messages will be as “R-U-THERE” and responses as 'R-U-THERE-ACK':

 

ike 3:testVPN:123123: sent IKE msg (R-U-THERE): 1.2.3.4:500->4.3.2.1:500, len=92, id=8357cf8e359f24b8/e7763893c7180208:2ab66f73
...
ike 3:testVPN:123123: notify msg received: R-U-THERE-ACK

In IKEv2, the message will be 'informational':

 

2021-02-10 16:20:48.645409 ike 0:VPN-test:9: send IKEv2 DPD probe
2021-02-10 16:20:48.645478 ike 0:VPN-test:21: sending NOTIFY msg
2021-02-10 16:20:48.645543 ike 0:VPN-test:9:21: send informational

For further information, refer to the 'FortiGate/FortiOS Documentation' manual which is available in the Fortinet Document Library.

157227
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.