Wednesday 2 December 2009

IKE - Functions - Dead Peer Detection

Dead Peer Detection -  use to detect a dead IKE peer and perform IKE peer failover
- If a dead IKE peer is detected then the IKE SA and IPSec SA to that peer is torn down.
- DPD has 2 modes of function:
    A) Defualt setting - where a DPD hello is sent every 10 seconds (unless the router receives a hello
        message from the peer first) but does lead to increased network activity from all the hellos.
    b) On demand - the router sends a DPD hello packet in advance of sending some data. This option    reduces uncessary network traffic but could result in you only finding out there is a network issue when data needs to be sent, not prior.

- Implemented using  -
  #crypto isakmp keepalives [frequency] [retries] [periodic | on-demand]-
   where frequency = number of seconds between DPD messages
             retries = number of seconds between DPD retries id the DPD message fails
             periodic = DPD messages are sent at regular intervals
            on-demand = DPD retries are sent on demand - this is default behaviour.

E.g - #crypto isakmp keepalives 10 3 periodic

By implementiung this you can then specifiy a second remote peer within your IPsexc crypto map to establish your SA:
for example - #crypto map TEST 10 ispec-isakmp
          # set peer 172.31.1.100 default
          # set peer 172.31.1.200

The Default option indicates that this should be used first to establish an SA, the second peer is used if the first remote peer is detected to be dead.