UniFi - USG VPN: How to Implement Dead Peer Detection


Overview


This article includes steps on how to implement Dead Peer Detection, which can be a solution for dead VPN tunnels that won't restart on their own.

NOTES & REQUIREMENTS: This article covers advanced configuration, using the
config.gateway.json file, and should only be performed by advanced users. Read how to create the config.gateway.json in this article before you begin.
 
Dead Peer Detection is done automatically for Auto VPNs starting with UniFi Controller version 5.7.8. Some users might still need to follow these steps for manual IPsec VPN.

Table of Contents


  1. Introduction
  2. Steps: How to Implement DPD
  3. Related Articles

Introduction


Back to Top

A solution for dead VPN tunnels that won't restart on their own is implementing DPD (Dead Peer Detection). When the UniFi Security Gateway changes the status of a peer device to be dead, the device removes the Phase 1 security association (SA) and all Phase 2 SAs for that peer. DPD will attempt to recreate the tunnel rather than trying to revive the dead peer.


Steps: How to Implement DPD


Back to Top

A config.gateway.json file will be needed for this implementation. Read this article to learn how to create one. If you suspect you have a dead peer, you can SSH into the USG and run the command show vpn ipsec sa. If you are indeed dealing with a dead peer it will appear as being "down". (Need help connecting via SSH? Read our article on the subject).

To implement Dead Peer Detection follow these steps:

1. Begin by accessing the USG through SSH. 

2. Run the following commands:

configure
set vpn ipsec ike-group <ike group> dead-peer-detection action restart
set vpn ipsec ike-group <ike group> dead-peer-detection interval 30
set vpn ipsec ike-group <ike group> dead-peer-detection timeout 120
commit;save;exit
mca-ctrl -t dump-cfg
User Tip: To find the <ike group> name, either use the tab or ? key when typing in the command (i.e. set vpn ipsec ike-group ?). Alternatively, type the command show vpn ipsec ike-group.

3. The new VPN portion will appear in the correct format. Copy and paste that output into the controller in a previously created config.gateway.json file located in your UniFi Controller. Refer to the config.gateway.json article for more information. When using a Cloud Key, create the file in /srv/unifi/data/sites/(siteID)/config.gateway.json. If the controller is running on Windows or Linux, this article explains where to save the file.

4. The file will be saved on the next Provision (double check to make sure there are no errors in it, you can run the text through a json validator such as JSON Formatter).


Related Articles


Back to Top

UniFi - USG Advanced Configuration

Intro to Networking - How to Establish a Connection Using SSH