![]() Set security ike gateway LAB1007 dead-peer-detection interval 10 We enable DPD to check if the remote peer is alive or not.Because it doesn’t really check if it is alive or not. Let’s look SRX2 device’s view on show security ike sa | match 192.168.18.2ġ31074 ESP: sha1 29b19e03 10448/unlim - root 500 192.168.18.2Īpparently SRX2 IPsec peer has no idea what happened to its peer. Heyy, we can see that packet is encrypted properly and sent to the dead peer but why are we sending packets to a dead peer, isn’t that the remote peer is powered off. We power off the remote IPsec peer (co-a: LAB1007) on the west side abruptly without giving any chance for IPsec to terminate the tunnelĪfter we power off the remote IPsec peer, we send one ICMP packet and we take another capture on the core network.We have a default IPsec tunnel configuration with no monitoring configured but ICMP is successfully sent through the tunnel and response is received. What I am trying to show is that from the moment tunnel is established and the first ICMP is sent, there isn’t any packet exchanged. ![]() ![]() Then we are waiting ~174 seconds and send an ICMP packet from the EAST IPsec peer’s internal network. Packets from number 1-6 belong to Phase1 and 7-9 belong to Phase2. wait a minute or so and send an ICMP probe.Ībove packet capture is taken on the core network to see the packets exchanged during tunnel establishment.Establish Phase1 and Phase2 of the IPsec tunnel.I will talk about VPN monitoring probably in a different post though.įor DPD tests, I will use the following IPsec topology. Here we will see the ways DPD can be configured also why we really need a monitoring method like DPD. As you might know, DPD ( Dead Peer Detection) is a method used to detect if an IPsec peer is alive or not. Finally my virtual SRX lab is ready for my DPD tests.
0 Comments
Leave a Reply. |