Support for Dead Peer Detection:
	A Traffic-Based Method of Detecting Dead IKE Peers 


The DPD feacture provides support for RFC3706 Dead Peer Detection. 

DPD works using a keepalive system, where when a tunnel is idle
(established, but no traffic has traversed it for N period (dpddelay=N1)
one or both sides send a "hello" messages (R_U_THERE) and the other
replies with a acknowledge message (R_U_THERE_ACK).  If no response
received, this continues until the DPD timeout value (dpdtimeout=N2)
has elapsed.  If there still hasn't been any traffic or R_U_THERE_ACK 
packets received, the peer is declared to be dead, and the SA deleted, 
and related eroute removed from the table.

DPD support is tuneable on a per connection basis, using the dpdtimeout, 
dpddelay and dpdaction directives.  See also the ipsec.conf man page for
more information.

An example follows:

conn laptop2myhome
	left=%defaultroute
	leftnexthop=%defaultroute
	right=192.168.0.1
	dpddelay=30
	dpdtimeout=120
	dpdaction=clear


In the above example, our keepalive time is 30 seconds, our timeout is 120
seconds, and our action is clear. So during idle periods, we send
R_U_THERE packets every 30 seconds.  If the tunnel is idle and we haven't
received an R_U_THERE_ACK from our peer in 120 seconds, we declare the
peer dead, and clear the SA + eroute (the entire tunnel is removed).

Note that both sides must have either dpddelay or dpdtimeout set for DPD 
to be proposed or accepted.  If one directive is set but not the other, 
the defaults are used (dpddelay=30, dpdtimeout=120).

The dpdaction parameter controls what we do when a peer is determined to
be dead. If set to "hold" (the default) it will place the eroute into
%hold status, and wait for the peer to return.  If set to "clear" it will
remove the connection entirely, including both the SA and eroute.

We recommend that "hold" be used for statically defined tunnels, and 
"clear" be used for roadwarrior tunnels.

DPD support in Openswan is based on Philip Craig [1]'s work for
Snapgear's ucLinux [2] and Srinivasan Venkataraman's [3] implementation, 
which were ported to Super FreeS/WAN by Pawel Krawczyk, and then hacked 
on by Pawel, JuanJo Ciarlante and Ken Bantoft. Thanks to Daniel 
Djamaludin [4] and Srinivasan Venkataraman for their support and 
advice.

This code is currently maintained by Xelerance Corporation.

[1] philipc@snapgear.com
[2] http://cvs.uclinux.org/cgi-bin/cvsweb/uClinux-dist/freeswan/
[3] http://www.ittc.ku.edu/~sriniven/eecs801/801index.html
[4] danield@snapgear.com

Inter-operability Test Results:

Pass:
Super FreeS/WAN 1.99.7
Openswan 1.x
Openswan 2.2.x
Cisco Systems: VPN 3000 Concentrator Version 3.6.7.C
Cisco Systems: IOS 12.2.8T 

Note: Previous versions had -DAPPLY_CRISCO as a compile time option to deal
with Cisco devices that sent invalid cookies.  According to the RFC, we 
SHOULD check them, not MUST.  Thus, we have to accept invalid cookies.  So
now we do, however we still log it.

Thanks to Geoffrey Huang <ghuang@cisco.com> for debating this with me.