Configuring IPsec Keep Alive¶
There are two methods which can make the firewall attempt to keep a non-mobile IPsec tunnel up and active at all times: automatic ping and periodic check. These options are available in the settings for each IPsec phase 2 entry.
See Keep Alive for additional details on these settings.
This method utilizes ICMP echo requests sent to a specific remote host across the VPN to match policies which will start a tunnel and keep it active.
For tunnel mode (policy-based) IPsec tunnels traffic destined to the Remote Network will attempt to initiate the tunnel when it is down. This is because the generated ping will match trap policies in the kernel and be considered “interesting traffic” for IPsec.
Due to the reliance on policies this method is not capable of initiating a VTI mode tunnel. It can send periodic traffic across a VTI mode tunnel if a use case requires that behavior.
This option will also not initiate a tunnel if its phase 1 Child SA Start Action is set to Responder Only.
Unlike other mechanisms such as DPD, this periodic traffic sent across the tunnel is treated like other traffic crossing the tunnel. This traffic would count as tunnel activity and reset any idle counters on the far side.
Any IP address within the Remote Network of the phase 2 definition may be used. It does not have to reply or even exist.
For this feature to work the firewall must have an IP address assigned inside the Local Network. Otherwise it cannot generate the necessary traffic to match the phase 2 policies and traffic cannot enter the tunnel.
This method utilizes a periodic status check which looks at the list of connected IPsec tunnels and will initiate entries which are not currently connected.
As this does not rely on tunnel traffic or trap policies it is compatible with any IPsec tunnel mode, including VTI mode.
IKEv1 vs IKEv2¶
Whether or not this option should be enabled on every phase 2 entry for a tunnel depends on the tunnel configuration.
- IKEv1 or IKEv2 with Split Connections
In these modes each phase 2 entry results in a separate child SA entry which can be connected separately. In this case, the keep alive options may be set on each phase 2 entry individually as needed. If all phase 2 entries must stay connected, then it must be enabled on every entry.
- IKEv2 without Split Connections
In this mode the phase 2 entries are combined into a single child SA entry and all combinations of phase 2 entries are connected as a single group. In this case the keep alive options need only be enabled on the first phase 2 entry for a tunnel.
See IPsec phase 1 Advanced Options for more information on how the Split Connections option works.