Table of contents
Features
DPD, or Dead Peer Detection, is a mechanism in the IPSEC protocol used to detect whether the peer (peer) is alive to avoid interruption of communication between peers, or after the IPSEC SA of one end is cleared, the other end continues Use IPSEC to encapsulate data and send it to the peer, causing the data communication that needs to be encrypted to be interrupted.
When an end fails to detect the opposite end through DPD, the local device will clear the corresponding isakmp sa and ipsec sa; at the same time, if there are new interesting flows (or the auto up function is configured), the negotiation of isakmp sa and ipsec sa will be reinitiated.
The DPD function is not mandatory to be configured on both IPSEC peers. Generally, it only needs to be configured on the data initiator. For example, in the central branch topology, if all business data is first initiated by the branch to communicate with the headquarters; and the headquarters has no need to actively access the branch, then DPD only needs to be configured on the branch.
1. Networking requirements
Configure DPD technology on the branch to detect the survival of IPSEC peers between the branch and the headquarters to avoid interruption of communication between the branch and the headquarters, or when the corresponding IPSEC SA for the branch on the headquarters router is abnormally deleted, the branch will continue to encrypt The data was sent to the headquarters, causing the headquarters to be unable to decrypt this part of the data normally, and data communication was interrupted.
2. Network topology
3. Configuration points
1. Configure basic IPSEC functions
2. Configure the DPD function on branch 1
4. Configuration steps
1. Configure basic IPSEC functions
According to the on-site environment and customer needs, select the appropriate IPSEC deployment solution. For detailed configuration, refer to the IPSEC " Basic Configuration " chapter (Typical Configuration--->Security--->IPSEC--->Basic Configuration)
2. Configure the DPD function on branch 1
crypto isakmp keepalive 10 on-demand //Configure the DPD detection period to 10 seconds (the time should not be too short, otherwise SIPEC will be frequently interrupted due to network delay problems), and the detection mode is on-demand.
Note: DPD has two detection modes: periodic detection and on-demand detection; generally, the on-demand detection mode can be used.
Periodic detection: This mechanism will proactively send DPD detection messages periodically after the configured time is exceeded; the default maximum number of retransmissions is 5.
On-demand detection: This mechanism will only trigger the sending of DPD detection messages when the tunnel idle time exceeds the configured time and a packet is sent at this time.
5. Configuration verification
1. Initiate an interesting flow to access the headquarters on the branch, so that isakmp sa and ipsec sa can be successfully established between the branch and the headquarters;
2. Disconnect the external network port cable of the headquarters router. At this time, the branch detects that the peer is unreachable, clears isakmp sa and ipsec sa, and reinitiates negotiation.
site1#show crypto isakmp sa
destinationsourcestateconn-idlifetime(second) //isakmp sa without successful negotiation
site1#show crypto ipsec on
Interface: FastEthernet 0/0
Crypto map tag:mymap
local ipv4 addr 10.0.0.2
media 1500 people
==================================
sub_map type:static, seqno:10, id=0
local ident (addr/mask/prot/port): (192.168.1.0/0.0.0.255/0/0))
remote ident (addr/mask/prot/port): (192.168.0.0/0.0.0.255/0/0))
PERMIT
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest 0
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify 0
#send errors 2, #recv errors 0
No sa is created now. //IPsec sa without successful negotiation