[j-nsp] IPSEC tunnel

Burkhard Ott bott at revenuewire.com
Wed Jan 4 17:08:35 EST 2012


On Wed, 4 Jan 2012 21:58:10 +0000
Humair Ali <humair.s.ali at gmail.com> wrote:

> Hi Asad
> 
> it's been a while I have not been involved with Netscreen,
> 
> but correct me if I am wrong but IKE Keepalive and DPD are exactly
> the same thing,

Nope.

http://www.ietf.org/rfc/rfc3706.txt


> 
> As long as there is VPN traffic, the DPD will not be used, it is only
> used when it does not detect the VPN traffic and start sending hello
> message to detect the liveness of remote end (which is exactly what
> IKE keepalives do)
> 
> If DPD find remote site down, stating the tunnel down should force a
> rekeying  of the Phase 1 and 2 .
> Netscreen does not have DPD on by default but Cisco does, if one end
> detect it is sending DPD Hello but detects that remote end does not ,
> it will bring the tunnel down, hence why enabling DPD on Netscreen
> may help.
 
> Having said that the problem could be completely some other issues.

Check if the tunnel dies if you pass huge payloads to the tunnel, I
thing you might have trouble with the MTU on your external interface.



-- 
Burkhard Ott
Sr. System Administrator
Revenuewire Inc.
1205 - 4464 Markham Street
Victoria, BC V8Z 7X8
250-984-1132 ext. 7132


More information about the juniper-nsp mailing list