[j-nsp] IPSEC tunnel

Humair Ali humair.s.ali at gmail.com
Wed Jan 4 17:29:11 EST 2012


Yep , I stand corrected !

*DPD addresses the shortcomings of IKE keepalives- and heartbeats-
schemes by introducing a more reasonable logic governing message
 exchange*



On 4 January 2012 22:08, Burkhard Ott <bott at revenuewire.com> wrote:

> On Wed, 4 Jan 2012 21:58:10 +0000
> Humair Ali <humair.s.ali at gmail.com> wrote:
>
> > Hi Asad
> >
> > it's been a while I have not been involved with Netscreen,
> >
> > but correct me if I am wrong but IKE Keepalive and DPD are exactly
> > the same thing,
>
> Nope.
>
> http://www.ietf.org/rfc/rfc3706.txt
>
>
> >
> > As long as there is VPN traffic, the DPD will not be used, it is only
> > used when it does not detect the VPN traffic and start sending hello
> > message to detect the liveness of remote end (which is exactly what
> > IKE keepalives do)
> >
> > If DPD find remote site down, stating the tunnel down should force a
> > rekeying  of the Phase 1 and 2 .
> > Netscreen does not have DPD on by default but Cisco does, if one end
> > detect it is sending DPD Hello but detects that remote end does not ,
> > it will bring the tunnel down, hence why enabling DPD on Netscreen
> > may help.
>
> > Having said that the problem could be completely some other issues.
>
> Check if the tunnel dies if you pass huge payloads to the tunnel, I
> thing you might have trouble with the MTU on your external interface.
>
>
>
> --
> Burkhard Ott
> Sr. System Administrator
> Revenuewire Inc.
> 1205 - 4464 Markham Street
> Victoria, BC V8Z 7X8
> 250-984-1132 ext. 7132
>



-- 
Humair


More information about the juniper-nsp mailing list