Dead-Peer Detection in 1.2.0?


#1

I recently upgraded a branch firewall from 1.1.8 to 1.2.0 (due to some irritating hardware issues with the kernel on 1.1.x) and it looks like IKEv1 DPD isn’t working any more? We had a network blip and our tunnel to one of our AWS VPCs required a manual restart.

This particular IPsec setup is just using the stock, Amazon-generated Vyatta configuration. Relevant section:

# show vpn ipsec  ike-group
 ike-group AWS {
     dead-peer-detection {
         action restart
         interval 15
         timeout 30
     }
     ikev2-reauth no
     key-exchange ikev1
     lifetime 28800
     proposal 1 {
         dh-group 2
         encryption aes128
         hash sha1
     }
 }

I saw from T349 that this wasn’t expected to work in 1.1.x (although it had been working for us), but I was surprised that it was still an issue in 1.2.x.