Dead peer detection (DPD) allows two IPSec peers to determine if
the other is still alive during the lifetime of a VPN connection. DPD is useful
because a host may reboot or the dialup link of a remote user may disconnect
without notifying the peer that the VPN connection is gone away. When the IPSec
host determines that a VPN connection no longer exists, it can notify the user,
attempt to switch to another IPSec host, or clean up valuable resources that
were allocated for the peer that no longer exists.
A DPD peer can send
DPD messages, reply to DPD messages, or both. DPD messages are unidirectional
and are automatically sent by Cisco VPN clients. Unlike the old-style IKE
keepalives, DPD is not required on both peers. DPD can be configured on just
the remote, just the headend, or both depending on the requirements. The
isakmp keepalive command in tunnelgroup ipsec-attributes
configuration mode is used to enable PIX Security Appliance gateway to send IKE
DPD messages
. The number of
seconds between DPD messages can be configured. The number of seconds between
retries if a DPD message fails can also be configured.
Lab
Exercise: Configure a Secure VPN Using IPSec between a PIX and a VPN Client
using ASDM
In this lab exercise, students will configure the PIX Easy VPN
Server feature using the VPN Wizard. Students will then install and configure
the Cisco VPN Client on the Student PC. Finally, students will verify and Test
the Cisco VPN Client remote access connection.
Lab
Exercise: Configure a Secure VPN Using IPSec between a PIX and a VPN Client
using CLI
In this lab exercise, students will configure and verify the
PIX Easy VPN Server feature using CLI. Students will then install and configure
the Cisco VPN Client on a Microsoft Windows end-user PC. Finally, students will
verify and Test the Cisco VPN Client remote access connection.