Page MenuHomeVyOS Platform
Create Task
Maniphest T542

IKE DPD timer value
Closed, ResolvedPublicBUG
Actions

Description

VyOS 1.1.8 allows IKE DPD interval from 15 to 86400 sec and timeout from 30 to 86400 sec, default values of 30 and 120 sec, are incompatible with Cisco ASA which has DPD interval from 2 to 10 sec and timeout from 10 to 3600 sec with 2/10 sec by default.

Possible workaround is to use 10/30 sec on Cisco and 15/30 sec on VyOS with slow dead-peer-detection and slow failover.

Hope we could adjust these values.

Details

Difficulty level
Unknown (require assessment)
Version
1.1.8
Why the issue appeared?
Will be filled on close

Related Objects
Search...

StatusSubtypeAssignedTask
Unknown Object (Maniphest Task)
 ResolvedBUGsyncerT542 IKE DPD timer value

Event Timeline

sergei created this task.Feb 10 2018, 12:46 PM
syncer added a parent task: Unknown Object (Maniphest Task).Feb 10 2018, 12:49 PM
syncer added a subscriber: syncer.

@sergei can you check 1.2 behaviour too please

syncer triaged this task as Normal priority.Feb 10 2018, 12:50 PM
sergei added a comment.Feb 10 2018, 2:10 PM

Found workaround for ESP lifetime issue, need monitoring for 24 hrs to verify.

syncer added a project: VyOS 1.2 Crux.Feb 10 2018, 2:18 PM
sergei added a comment.Feb 11 2018, 12:44 PM

I found VPN tunnel with esp lifetime of 43200 sec (12 hrs) is stable. Can share my config if necessary.

syncer added a comment.Feb 11 2018, 12:45 PM

@sergei yes, please put it here for records

sergei added a comment.Feb 12 2018, 9:18 PM

vyos_vpn_conf3 KBDownload
File added.

sergei mentioned this in Unknown Object (Maniphest Task).Feb 12 2018, 9:20 PM
unixninja92 added a subscriber: unixninja92.Feb 21 2018, 2:07 AM

Pull request: https://github.com/vyos/vyatta-cfg-vpn/pull/18

syncer removed a project: VyOS 1.1.x.Feb 27 2018, 3:47 PM
syncer closed this task as Resolved.Feb 27 2018, 4:48 PM
syncer claimed this task.
syncer moved this task from Need Triage to Finished on the VyOS 1.2 Crux board.
ckdizzion added a subscriber: ckdizzion.Feb 27 2018, 5:18 PM

Customer could not wait any longer and did did not want to do any more testing. We rolled back to 1.8.1 and IKEv1. We can considered this closed. Thanks for the help and efforts!!!!

syncer removed a project: VyOS 1.2 Crux.Oct 15 2018, 11:31 PM