There are two methods which can make the firewall attempt to keep a non-mobileIPsec tunnel up and active at all times: automatic ping and periodic check.These options are available in the settings for each IPsec phase 2 entry.
See also
See Keep Alive for additional details on these settings.
Automatic Ping¶
This method utilizes ICMP echo requests sent to a specific remote host acrossthe VPN to match policies which will start a tunnel and keep it active.
For tunnel mode (policy-based) IPsec tunnels traffic destined to the RemoteNetwork will attempt to initiate the tunnel when it is down. This is becausethe generated ping will match trap policies in the kernel and be considered“interesting traffic” for IPsec.
Warning
Due to the reliance on policies this method is not capable of initiating aVTI mode tunnel. It can send periodic traffic across a VTI mode tunnel if ause case requires that behavior.
This option will also not initiate a tunnel if its phase 1 Child SA StartAction is set to Responder Only.
Unlike other mechanisms such as DPD, this periodic traffic sent across thetunnel is treated like other traffic crossing the tunnel. This traffic wouldcount as tunnel activity and reset any idle counters on the far side.
Note
Any IP address within the Remote Network of the phase 2 definition may beused. It does not have to reply or even exist.
Warning
For this feature to work the firewall must have an IP address assignedinside the Local Network. Otherwise it cannot generate the necessarytraffic to match the phase 2 policies and traffic cannot enter the tunnel.
Periodic Check¶
This method utilizes a periodic status check which looks at the list ofconnected IPsec tunnels and will initiate entries which are not currentlyconnected.
As this does not rely on tunnel traffic or trap policies it is compatible withany IPsec tunnel mode, including VTI mode.
IKEv1 vs IKEv2¶
Whether or not this option should be enabled on every phase 2 entry for a tunneldepends on the tunnel configuration.
- IKEv1 or IKEv2 with Split Connections:
In these modes each phase 2 entry results in a separate child SA entry whichcan be connected separately. In this case, the keep alive options may be seton each phase 2 entry individually as needed. If all phase 2 entries must stayconnected, then it must be enabled on every entry.
- IKEv2 without Split Connections:
In this mode the phase 2 entries are combined into a single child SA entry andall combinations of phase 2 entries are connected as a single group. In thiscase the keep alive options need only be enabled on the first phase 2entry for a tunnel.
See also
See IPsec phase 1 Advanced Options for moreinformation on how the Split Connections option works.
