There are several other VPN components of the SRX platform, many of which are optional enhancements, although some happen automatically and can be altered manually if desired. It is important to have a thorough understanding of the individual features before enabling them, because enabling the features in the incorrect fashion may lead to undesirable effects. Knowledge is power, especially with a powerful device such as the SRX.
One particular issue that IKE does not account for is if the VPN peer suddenly fails during communication. Since the VPN gateway is not typically initiating traffic (except in the case of dynamic routing protocols), it typically doesn’t notice if or when the VPN has failed, at least, not until the IPsec keys expire and the VPN needs to be renegotiated.
To help improve the detection of such failures, a standards-based feature called Dead Peer Detection (DPD) can be implemented. DPD essentially sends a User Datagram Protocol (UDP) message at defined intervals, and if messages are not responded to, the peer is considered to be down. By using DPD, a gateway can perform some alternative action such as defaulting to another VPN whenever a failure is detected.
DPD is primarily used with VPNs where dynamic routing is not used (such as OSPF), because dynamic routing protocols can both detect a failure and default over to another path without the need for DPD.
One issue with DPD is that it doesn’t necessarily ...