This article includes steps on how to implement Dead Peer Detection, which can be a solution for dead VPN tunnels that won't restart on their own. This article applies to UniFi Security Gateways exclusively.
Table of Contents
A solution for dead VPN tunnels that won't restart on their own is implementing DPD (Dead Peer Detection). When the UniFi Security Gateway (USG or USG-PRO-4) changes the status of a peer device to be dead, the device removes the Phase 1 security association (SA) and all Phase 2 SAs for that peer. DPD will attempt to recreate the tunnel rather than trying to revive the dead peer.
Steps: How to Implement DPD
A config.gateway.json file will be needed for this implementation. Read this article to learn how to create one. If you suspect you have a dead peer, you can SSH into the USG and run the command
show vpn ipsec sa. If you are indeed dealing with a dead peer it will appear as being "down". (Need help connecting via SSH? Read this article on the subject).
To implement Dead Peer Detection follow these steps:
1. Begin by accessing the USG through SSH.
2. Run the following commands:
set vpn ipsec ike-group <ike group> dead-peer-detection action restart
set vpn ipsec ike-group <ike group> dead-peer-detection interval 30
set vpn ipsec ike-group <ike group> dead-peer-detection timeout 120
mca-ctrl -t dump-cfg
?key when typing in the command (i.e.
set vpn ipsec ike-group ?). Alternatively, type the command
show vpn ipsec ike-group.
Click here to expand and see an example of what the config.gateway.json should look like. Be sure to double check the name is correct according to the user tip above!
3. The new VPN portion will appear in the correct format. Copy and paste that output into the controller in a previously created config.gateway.json file located in your UniFi Network Controller. Refer to the config.gateway.json article for more information. When using a Cloud Key, create the file in /srv/unifi/data/sites/(siteID)/config.gateway.json. If the controller is running on Windows or Linux, this article explains where to save the file.
4. The file will be saved on the next provision (double check to make sure there are no errors in it, you can run the text through a json validator such as JSON Formatter).