[j-nsp] IPSEC tunnel
Burkhard Ott
bott at revenuewire.com
Wed Jan 4 17:08:35 EST 2012
On Wed, 4 Jan 2012 21:58:10 +0000
Humair Ali <humair.s.ali at gmail.com> wrote:
> Hi Asad
>
> it's been a while I have not been involved with Netscreen,
>
> but correct me if I am wrong but IKE Keepalive and DPD are exactly
> the same thing,
Nope.
http://www.ietf.org/rfc/rfc3706.txt
>
> As long as there is VPN traffic, the DPD will not be used, it is only
> used when it does not detect the VPN traffic and start sending hello
> message to detect the liveness of remote end (which is exactly what
> IKE keepalives do)
>
> If DPD find remote site down, stating the tunnel down should force a
> rekeying of the Phase 1 and 2 .
> Netscreen does not have DPD on by default but Cisco does, if one end
> detect it is sending DPD Hello but detects that remote end does not ,
> it will bring the tunnel down, hence why enabling DPD on Netscreen
> may help.
> Having said that the problem could be completely some other issues.
Check if the tunnel dies if you pass huge payloads to the tunnel, I
thing you might have trouble with the MTU on your external interface.
--
Burkhard Ott
Sr. System Administrator
Revenuewire Inc.
1205 - 4464 Markham Street
Victoria, BC V8Z 7X8
250-984-1132 ext. 7132
More information about the juniper-nsp
mailing list