Section 35.1.5, 5 dead peer detection, Internet – Westermo RedFox Series User Manual
Page 795
Westermo OS Management Guide
Version 4.17.0-0
IP
A
IP
B
PC
Charlie
IP
C
PC
Dave
IP
D
IP
D
IP
C
Dst Src
Data
IP
D
IP
C
Dst Src
Data
IP
C
IP
D
IP
A
IP
B
Data
Dst Src
Encrypted
Alice
VPN
GW1
Bob
VPN
GW2
Internet
Figure 35.4: IPsec tunnel mode encapsulation. The ”inner” IP header holds the
original IP addresses of Charlie and Dave, and the outer IP header contains the
addresses of the VPN gateways Alice and Bob.
In order to send encapsulated data more efficiently over the Internet an operator
can tune the maximum transmission unit (MTU) for VPN tunnels. By default the
MTU for VPN tunnels is set to 1419 bytes.
35.1.5
Dead Peer Detection
The connectivity through an established IPsec tunnel may be broken unexpect-
edly, e.g., one of the peers go down or is disconnected, or if some kind of routing,
NAT or firewall problem occurs on the path between them.
Dead Peer Detection (DPD) can be used to discover and manage such situations.
In DPD the peers exchange keep-alive messages to monitor if the remote peer
is still reachable. If a peer determines connectivity to be broken, appropriate
actions should be taken. There are three configuration options for the DPD action:
❼ Restart: An initiator should try to reestablish an IPsec tunnel by restarting
the IKE handshake.
❼ Hold: A responder can chose the Hold DPD action. This is often the preferred
option in a NETWORK-NETWORK VPN scenario (see
❼ Clear: A responder can also chose the Clear DPD action. This is the preferred
option if the HOST-NETWORK VPN scenario, i.e., if the initiator is a single
road warrior (see
), but Clear may also be used in a NETWORK-
NETWORK VPN scenario.
As of WeOS v4.17.0 a VPN gateway configured as initiator will use DPD action
restart by default, while a responder by default uses DPD action clear.
Two additional DPD parameters can be configured:
➞ 2015 Westermo Teleindustri AB
795