Page MenuHomeVyOS Platform

Does the IKEv1 Dead-peer-detection work?
Closed, WontfixPublicBUG


I have VyOS with DMVPN/IPSec configured (IKEv1). I did configure the dead-peed-detection:

show vpn ipsec ike-group IKE-DMVPN 
 dead-peer-detection {
    action restart
    interval 30
    timeout 30
 ikev2-reauth no
 key-exchange ikev1
 lifetime 28800
 proposal 1 {
     dh-group 2
     encryption 3des
     hash md5

But after I power off the peer router (Cisco) and power on again, my VyOS router is trying to use old SA and as result the tunnel is down. It seems to DPD does not work at all. Is it so?


Difficulty level
Unknown (require assessment)
VyOS 1.1.7 (helium)
Why the issue appeared?
Will be filled on close

Event Timeline

DPD does not work reliably on 1.1.7 as far as I can tell. I routinely have to restart my sessions to AWS.

So bad. What about future plans? maybe 1.1.8 or 2.x.x?

Seems to work fine in 2.x

That said- if you can use IKEv2 that's a much better idea than DPD which is really just a hack anyway.

syncer claimed this task.
syncer added a subscriber: syncer.

this will be not addressed in 1.1.x