I recently upgraded a branch firewall from 1.1.8 to 1.2.0 (due to some irritating hardware issues with the kernel on 1.1.x) and it looks like IKEv1 DPD isn’t working any more? We had a network blip and our tunnel to one of our AWS VPCs required a manual restart.
This particular IPsec setup is just using the stock, Amazon-generated Vyatta configuration. Relevant section:
# show vpn ipsec ike-group
ike-group AWS {
dead-peer-detection {
action restart
interval 15
timeout 30
}
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 2
encryption aes128
hash sha1
}
}
I saw from T349 that this wasn’t expected to work in 1.1.x (although it had been working for us), but I was surprised that it was still an issue in 1.2.x.