Description
This article describes how to configure DPD on IPsec VPN.
Sometimes, due to routing issues or other network issues, the communication link between a FortiGate unit and a VPN peer or client may go down.
Packets could be lost if the connection is left to time out on its own. The FortiGate unit provides a mechanism called Dead Peer Detection (DPD), sometimes referred to as gateway detection or ping server, to prevent this situation and to re-establish IKE negotiations automatically before a connection times out: the active Phase 1 security associations are caught and renegotiated (rekeyed) before the Phase 1 encryption key expires.
The commands in this article will help to configure DPD (dead peer detection) on IPsec VPN.
Solution
It is possible to configure DPD per phase1-interface as follows (default settings are shown):
#config vpn ipsec phase1-interface
edit <Tunnel Name>
set dpd [disable | on-idle | on-demand]
set dpd-retryinterval 20
set dpd-retrycount 3
next
end
DPD:
Disable: Disable Dead Peer Detection.
On-idle: Trigger Dead Peer Detection when IPsec is idle.
On-demand: Trigger Dead Peer Detection when IPsec traffic is sent but no reply is received from the peer.
DPD-RETRYINTERVAL:
How long is the interval in seconds after which a DPD will be attempted again.
DPD-RETRYCOUNT:
How often will the DPD be attempted.
With the default settings, DPD will be attempted every 20 seconds, 3 times. In total after one minute without DPD responses the tunnel will be turned down.
On GUI:
On a dial-up server, if a multitude of VPN connections are idle, the increased DPD exchange could negatively impact the performance/load of the ike process.
For this reason, an option is available in the CLI to send DPD passively in a mode called "on-demand".
- When there is no traffic and the last DPD-ACK had been received, IKE will not send DPDs periodically.
- IKE will only send out DPDs if there are outgoing packets to send but no inbound packets had since been received.
Crosscheck the DPD exchange with the diagnose tool on CLI:
#diagnose debug console timestamp enable
#diagnose debug application ike -1
#diagnose debug enable
In IKEv1, DPD messages will be as “R-U-THERE” and responses as 'R-U-THERE-ACK':
ike 3:testVPN:123123: sent IKE msg (R-U-THERE): 1.2.3.4:500->4.3.2.1:500, len=92, id=8357cf8e359f24b8/e7763893c7180208:2ab66f73
...
ike 3:testVPN:123123: notify msg received: R-U-THERE-ACK
In IKEv2, the message will be 'informational':
2021-02-10 16:20:48.645409 ike 0:VPN-test:9: send IKEv2 DPD probe
2021-02-10 16:20:48.645478 ike 0:VPN-test:21: sending NOTIFY msg
2021-02-10 16:20:48.645543 ike 0:VPN-test:9:21: send informational
For further information, refer to the 'FortiGate/FortiOS Documentation' manual which is available in the Fortinet Document Library.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.