Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
GG27
Contributor

VPN and DPD configuration

Hello

in according to the R80.10 VPN documentation, for enabling DPD as method for the permanent tunnel, I need to change the parameter tunnel_keepalive_method property for each gateway in the community.

With the statement "for each gateway in the community" means you have to perform the change at the remote peer object and at the CKP gateway object as well.

The same CKP gw object is used in other VPN community with permanent tunnel on but based on tunnel_test protocol because s2s with other CKP gateway.

I'm worried about the impact it could introduce.

My question is

   what happens if I will configure the parameter to DPD on ckpgw used in different community?

I'd like to know what is the permanent tunnel protocol used in the following scenario

ckpgw1 tunnel_keepalive_method: dpd

ckpgw2 tunnel_keepalive_method: tunnel_test

3rdgw1: dpd

VPN community1

   center gateway: ckpgw1

   satellite gateway: ckpgw2

   permanent tunnel: on all tunnels in the community

keepalive is based on .... (dpd/tunnel_test/not working)

VPN community2

   center gateway: ckpgw1

   satellite gateway: 3rdgw1

   permanent tunnel: on all tunnels in the community

keepalive is based on .... (dpd/tunnel_test/not working)

 

thank you in advanced

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

My understanding is you only configure DPD on the gateway objects where DPD is actually required.
You do not need to configure your local object to use DPD.
See related discussion here: https://community.checkpoint.com/t5/General-Topics/Enable-DPD-on-R80-20/m-p/32605
0 Kudos
GG27
Contributor

Thanks PhoneBoy

Just for starting, the discussion in the post https://community.checkpoint.com/t5/General-Topics/Enable-DPD-on-R80-20/m-p/32605 sounds related to DPD passive mode.

In my configuration I need Permanent Tunnel based on DPD mode and, in according to the guide sk108600 scenario 5, I have to switch to DPD event on my local gateway

Moreover I tried to investigate the configuration when DPD is enabled on remote peer object and not in local object and when it configured on both object.

in the first testing scenario the packtet was tunnel_test; while the 2nd scenario the packet is DPD.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events