Page MenuHomeVyOS Platform
Create Task
Maniphest T349

Does the IKEv1 Dead-peer-detection work?
Closed, WontfixPublicBUG
Actions

Description

I have VyOS with DMVPN/IPSec configured (IKEv1). I did configure the dead-peed-detection:

show vpn ipsec ike-group IKE-DMVPN 
 dead-peer-detection {
    action restart
    interval 30
    timeout 30
 }
 ikev2-reauth no
 key-exchange ikev1
 lifetime 28800
 proposal 1 {
     dh-group 2
     encryption 3des
     hash md5
 }

But after I power off the peer router (Cisco) and power on again, my VyOS router is trying to use old SA and as result the tunnel is down. It seems to DPD does not work at all. Is it so?

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.1.7 (helium)
Why the issue appeared?
Will be filled on close

Event Timeline

evgeniy.s.nikolaev created this task.Aug 1 2017, 8:50 AM
sirket added a subscriber: sirket.Aug 1 2017, 8:55 AM

DPD does not work reliably on 1.1.7 as far as I can tell. I routinely have to restart my sessions to AWS.

evgeniy.s.nikolaev added a comment.Aug 1 2017, 8:58 AM

So bad. What about future plans? maybe 1.1.8 or 2.x.x?

sirket added a comment.Aug 1 2017, 5:49 PM

Seems to work fine in 2.x

That said- if you can use IKEv2 that's a much better idea than DPD which is really just a hack anyway.

evgeniy.s.nikolaev added a comment.Aug 2 2017, 12:10 PM
This comment was removed by evgeniy.s.nikolaev.
syncer closed this task as Wontfix.Aug 21 2017, 3:39 AM
syncer claimed this task.
syncer added a subscriber: syncer.

this will be not addressed in 1.1.x

syncer edited projects, added Rejected; removed VyOS 1.1.x.Oct 15 2018, 6:30 AM