Technical Tip: Configuring DPD (dead peer detection) on IPsec VPN (2024)

Description

This article describes how to configure DPD on IPsec VPN.

Sometimes, due to routing issues or other network issues, the communication link between a FortiGate unit and a VPN peer or client may go down.
Packets could be lost if the connection is left to time out on its own. The FortiGate unit provides a mechanism called Dead Peer Detection (DPD), sometimes referred to as gateway detection or ping server, to prevent this situation and to re-establish IKE negotiations automatically before a connection times out: the active Phase 1 security associations are caught and renegotiated (rekeyed) before the Phase 1 encryption key expires.

The commands in this article will help to configure DPD (dead peer detection) on IPsec VPN.

Scope

FortiClient.

Solution

It is possible to configure DPD per phase1-interface as follows (default settings are shown):

config vpn ipsec phase1-interface
edit <Tunnel Name>
set dpd [disable | on-idle | on-demand]
set dpd-retryinterval 20
set dpd-retrycount 3
next
end

DPD:
Disable: Disable Dead Peer Detection.
On-idle: Trigger Dead Peer Detection when no IPsec traffic is received.
On-demand: Trigger Dead Peer Detection when no IPsec traffic is received AND FortiGate has been sending IPsec traffic.

DPD-RETRYINTERVAL:
How long is the interval in seconds after which a DPD will be attempted again.

DPD-RETRYCOUNT:
How often will the DPD be attempted.

With the default settings, DPD will be attempted every 20 seconds, 3 times. In total after one minute without DPD responses the tunnel will be turned down.

On GUI:

On a dial-up server, if a multitude of VPN connections is idle, the increased DPD exchange could negatively impact the performance/load of the IKE process.
For this reason, an option is available in the CLI to send DPD passively in a mode called 'on-demand'.

• When there is no traffic and the last DPD-ACK has been received, IKE will not send DPDs periodically.
  

IKE will only send out DPDs if there are outgoing packets to send but no inbound packets have since been received.

Crosscheck the DPD exchange with the diagnose tool on CLI:

diagnose debug console timestamp enable
diagnose debug application ike -1
diagnose debug enable

In IKEv1, DPD messages will be as 'R-U-THERE' and responses as 'R-U-THERE-ACK':

ike 3:testVPN:123123: sent IKE msg (R-U-THERE): 1.2.3.4:500->4.3.2.1:500, len=92, id=8357cf8e359f24b8/e7763893c7180208:2ab66f73
...
ike 3:testVPN:123123: notify msg received: R-U-THERE-ACK

In IKEv2, the message will be 'informational':

2021-02-10 16:20:48.645409 ike 0:VPN-test:9: send IKEv2 DPD probe
2021-02-10 16:20:48.645478 ike 0:VPN-test:21: sending NOTIFY msg
2021-02-10 16:20:48.645543 ike 0:VPN-test:9:21: send informational

For further information, refer to the 'FortiGate/FortiOS Documentation' manual which is available in the Fortinet Document Library.