cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2317
Views
10
Helpful
5
Replies

Role of vendor id in DPD (Dead peer detection)

Hi,

 

Could anyone please tell me the use if the Vendor id sent in Main mode Message 3, why it is related to Dead peer detection (DPD). I have read somewhere to disable DPD if establishing IPSEC tunnel between 2 different vendor devices.

 

Is it something related to the capability of each device or DPD is only supported by cisco as it is a Cisco proprietary?

 

Thank you in Advance!

1 Accepted Solution

Accepted Solutions

@GeetanshBhardwaj15367 

Each vendor must send the Vendor ID if it wished to participate in DPD.

 

IPSLA is usually used in a Policy Based VPN to keep the tunnel up, in the event no interesting traffic was sent over the tunnel. IPSA is also used with VPNs to failover to a different ISP for a backup VPN.

 

DPD is used and is enabled as default on Cisco ASA, to detect if the tunnel is up or down. It sends a message and expects a response, if no response it assumes the peer is dead and deletes the IPSec and IKE SAs. You can then (optionally) failover to a backup VPN quickly, by specifying a secondary peer in the crypto map configuration.

 

IPSLA does not delete the SAs. Use DPD to detect failover and if required use IPSLA to keep the tunnel up.

View solution in original post

5 Replies 5

Dpd is use for ipsec as keepalive message 

now how two peer know that other peer support or not support dpd ?

the two peer exchange vendor I’d = dpd to make other peer know that I will use dpd.

vender I’d is only claim about dpd it not dpd.

Thank you so much for your response, much appreciated.

 

I get that now, so DPD is independent of Vendor, if the tunnel is created between 2 different vendors (Let's say Cisco and Juniper), DPD could still be used as a tunnel monitoring protocol.

 

One last question, IPSLA and DPD are 2 different ways of monitoring the tunnel, right?

 

If I configure IPSLA inside a crypto policy for a regular interval, let's say to initiate a ping for the remote end IP over IPSEC tunnel after every 10 seconds to see if we are getting ICMP response, if not we will mark the tunnel as down and will fallback to secondary.

 

Just wanted to know, if we do not use DPD, IPSLA can be used as an alternate as DPD is working in ISKMP notify message.

 

Thank you!

simply IPSLA depend on Routing table to select the path so if the IPSec tunnel down it can send via other path.
DPD use only and only IPSec tunnel if the tunnel is down in one Peer then DPD never more exchange and other Peer detect that.

@GeetanshBhardwaj15367 

Each vendor must send the Vendor ID if it wished to participate in DPD.

 

IPSLA is usually used in a Policy Based VPN to keep the tunnel up, in the event no interesting traffic was sent over the tunnel. IPSA is also used with VPNs to failover to a different ISP for a backup VPN.

 

DPD is used and is enabled as default on Cisco ASA, to detect if the tunnel is up or down. It sends a message and expects a response, if no response it assumes the peer is dead and deletes the IPSec and IKE SAs. You can then (optionally) failover to a backup VPN quickly, by specifying a secondary peer in the crypto map configuration.

 

IPSLA does not delete the SAs. Use DPD to detect failover and if required use IPSLA to keep the tunnel up.

Thank you @Rob Ingram, this answered the query.