Differences between the DPD of IKEv1 and that of IKEv2

Publication Date:  2012-07-17 Views:  256 Downloads:  0
Issue Description
Q: What are the differences between the DPD of IKEv1 and that of IKEv2?
Alarm Information
None.
Handling Process
A:
(1) Processing of the IKEv1:
Configure the following command:
ike dpd interval 10 2
When the firewall does not receive the encrypted packet sent from the peer, it will send a DPD probe packet. If the firewall receives no reply, it will send a DPD probe packet every two seconds for five times. If the firewall does not receive any reply from the peer after it sends five probe packets, it considers that the peer logs out and clears the IKE SA. This takes 20 seconds. After 20 seconds, the traffic is re-negotiated. After a new IKE SA is successfully negotiated, the traffic restores to normal.
(2) Processing of the IKEv2:
Configure the following command:
ike dpd interval 10
When the firewall does not receive the encrypted packet sent from the peer, it will send a DPD probe packet. If the firewall receives no reply, it will send another DPD probe packet in one second. If the firewall still receives no reply in one second, it will send another DPD probe packet in two seconds. In this way, 1s, 2s, … 64 seconds and so on. The firewall delays re-sending the DPD probe packet in exponential mode. After eight attempts, if the firewall still cannot receive the packet sent from the peer, it considers that the peer logs out and clears the IKE SA. This takes 10+191 seconds. After 201 seconds, the traffic is re-negotiated. After a new IKE SA is successfully negotiated, the traffic restores to normal.
Root Cause
None.
Suggestions
None.

END