Disable DPD in VPN IPSec tunnel

Overview

This article provides information on how to disable Dead Peer Detection (DPD) using Kerio Control internal files.

Background Information

Dead Peer Detection (DPD) is a method of detecting a dead (unavailable) VPN endpoint. When a dead endpoint is detected, it triggers either a failover or re-negotiation. Because of some third-party firewall specifications, DPD may fail for a VPN IPSec tunnel that otherwise works. In these cases, it becomes necessary to disable DPD using modification through the SSH console. It can be done for each VPN IPsec configuration, including the VPN server.

Preconditions

Access to Kerio Control Administration

Process for Disabling DPD

1. Log in via SSH to your Kerio Control console.

2. Make the system read-writable by running the command: mount -o rw,remount /.

3. Open /opt/kerio/winroute/winroute.cfg using Vim or Nano editor.

4. Use Ctrl + W to search for DPD.

5. Modify the DpdAction variable to none using
   <variable name="DpdAction">none</variable> as shown in the example below.

   

6. Save the changes by entering Ctrl + O and Yes to confirm.

   Note: The DPD can also be disabled in the IPsec VPN server. The default value (clear) can be changed to none.

   

Back to the top

Verification

You should be able to re-establish the IPsec tunnel connection and check DPD status.

Back to the top

Related Articles

Adjusting Lifetime Values for IPSec VPN: This article provides information about IPSec VPN settings and describes the process of changing its lifetime values using Kerio Control.

Back to the top