cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Enable DPD on R80.20

Hi everyone,

I have upgraded R77.30 to R80.20 recently and I am new with R80.20 , I have 20  IPsec Tunnel terminated to my cluster firewalls and here is my question:

1-there is an issue on one IPsec tunnel with 3rd party and I need to enable DPD mode ( the tunnel is not permanent) so if I enable DPD mode is there any impact to other tunnels?

and here is the tunnel config:

IKEv1

Phase 1

AES-256

SHA-256

DH:Group5

Renegotiation IKE security  1440 minutes

appreciate if someone can assist me to resolve the issue

7 Replies
Admin
Admin

Re: enable DPD on R80.20

If I understand the documentation correctly, you can only use one monitoring method (DPD or Tunnel Test) per gateway.

0 Kudos

Re: enable DPD on R80.20

Hi Dameon,

as far as I know DPD is not enabled on gateways and Keep_IKE-SAs is not checked so what do you suggest ?

0 Kudos
Highlighted
Admin
Admin

Re: enable DPD on R80.20

DPD is not enabled by default, that much I know. 

I'll have to confirm my understanding with R&D.

You may also want to check with the TAC as well. 

How To Open a Case with TAC and/or Account Services

Re: enable DPD on R80.20

Hi Dameon,

do you have any update from your R&D team? if I enable DPD does it have any impact to existing IPsec tunnels?

0 Kudos
Admin
Admin

Re: enable DPD on R80.20

To clarify, the setting controls the method the given gateway can be probed by (Tunnel Test or DPD).

A given gateway can be probed by one or the other, not both.

If you configure the remote gateway object to use DPD and the others in the community remain set to Tunnel Test, your gateway will probe the remote gateway with DPD and the others will use Tunnel Test.

Which I think is what you're after.

Re: enable DPD on R80.20

Thanks Dameon for your reply

so in this case are the following steps are correct?

1- enable "keep_IKE_SAs " from smart dashboard , global properties , Advanced VPN configuration and then push the policy

2-  Backup the Check Point Registry:

 [Expert@HostName:0]# cp -v $CPDIR/registry/HKLM_registry.data $CPDIR/registry/HKLM_registry.data_ORIGINAL  

 [Expert@HostName:0]# ckp_regedit -a SOFTWARE/CheckPoint/VPN1 forceSendDPDPayload -n 1 

 [Expert@HostName:0]# cpstop ; cpstart

or just step 1 is enough?

0 Kudos
Admin
Admin

Re: enable DPD on R80.20

I believe you need to do both.

That's in addition to setting the tunnel_keepalive_method property in the remote object to dpd, of course.