Yeah, I'm wondering about that, too. The site to site VPN guide isn't very clear on exactly what happens, but between that and sk108600, it looks like passive responder mode is universal. Does anyone else concur or know that to be true?
We also have an issue with an AWS cloud based app that has gone down hard twice now in 90 days. Unfortunately, it's a critical app for our business. The provider's VPN support is blaming the fact that we do not have Dead Peer Detection turned on. It looks like a small glitch in connectivity causes the darn AWS VPN gateway to start DPD detection and once it does, it's a slow downward spiral over a couple of hours with more and more SAs being deleted until it finally deletes the IKE keys and shuts up. Once that happens, the AWS gateway has to be reset to restore connectivity.
In talking with my CISCO based peers, it seems that they pretty much automatically enable DPD when configuring a VPN. I think they call it "IKE Keepalives". This might explain some mysterious behavior I've seen over the years when working with CISCO interoperable devices.
Anyway, does anyone know of any gotchas when enabling DPD in either passive or active mode?
And what's with all this hidden configuration stuff? One has to use the registry and edit the database directly using guidbedit or dbedit to set the parameters? That sucks because it's not transparent to future admins.