If we configure DMVPN with IPSEC, DPD timeout and interval are not set in swanctl.conf file.
Configuration:
set interfaces ethernet eth0 address '10.0.1.2/24' set interfaces ethernet eth0 hw-id '0c:4b:e8:6d:00:00' set interfaces ethernet eth1 address '192.168.1.1/24' set interfaces ethernet eth1 hw-id '0c:4b:e8:6d:00:01' set interfaces ethernet eth2 hw-id '0c:4b:e8:6d:00:02' set interfaces ethernet eth3 hw-id '0c:4b:e8:6d:00:03' set interfaces loopback lo set interfaces tunnel tun100 address '10.10.100.1/24' set interfaces tunnel tun100 encapsulation 'gre' set interfaces tunnel tun100 mtu '1400' set interfaces tunnel tun100 multicast 'enable' set interfaces tunnel tun100 parameters ip key '1' set interfaces tunnel tun100 source-address '10.0.1.2' set protocols bgp address-family ipv4-unicast network 192.168.1.0/24 set protocols bgp local-as '65000' set protocols bgp neighbor 10.10.100.2 address-family ipv4-unicast route-reflector-client set protocols bgp neighbor 10.10.100.2 remote-as '65000' set protocols bgp neighbor 10.10.100.3 address-family ipv4-unicast route-reflector-client set protocols bgp neighbor 10.10.100.3 remote-as '65000' set protocols bgp parameters router-id '1.1.1.1' set protocols nhrp tunnel tun100 cisco-authentication 'dmvpn' set protocols nhrp tunnel tun100 holding-time '300' set protocols nhrp tunnel tun100 multicast 'dynamic' set protocols nhrp tunnel tun100 shortcut set protocols static route 0.0.0.0/0 next-hop 10.0.1.1 set system config-management commit-revisions '100' set system conntrack modules ftp set system conntrack modules h323 set system conntrack modules nfs set system conntrack modules pptp set system conntrack modules sip set system conntrack modules sqlnet set system conntrack modules tftp set system host-name 'vyos' set system login user vyos authentication encrypted-password '$6$MjV2YvKQ56q$QbL562qhRoyUu8OaqrXagicvcsNpF1HssCY06ZxxghDJkBCfSfTE/4FlFB41xZcd/HqYyVBuRt8Zyq3ozJ0dc.' set system login user vyos authentication plaintext-password '' set system ntp server time1.vyos.net set system ntp server time2.vyos.net set system ntp server time3.vyos.net set system syslog global facility all level 'notice' set system syslog global facility protocols level 'debug' set vpn ipsec esp-group ESP-HUB compression 'disable' set vpn ipsec esp-group ESP-HUB lifetime '1800' set vpn ipsec esp-group ESP-HUB mode 'transport' set vpn ipsec esp-group ESP-HUB pfs 'dh-group2' set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256' set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1' set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des' set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5' set vpn ipsec ike-group IKE-HUB close-action 'none' set vpn ipsec ike-group IKE-HUB dead-peer-detection action 'restart' set vpn ipsec ike-group IKE-HUB dead-peer-detection interval '3' set vpn ipsec ike-group IKE-HUB dead-peer-detection timeout '30' set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no' set vpn ipsec ike-group IKE-HUB key-exchange 'ikev2' set vpn ipsec ike-group IKE-HUB lifetime '3600' set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2' set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256' set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1' set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2' set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128' set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1' set vpn ipsec interface 'eth0' set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret' set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'dmvpn'
swanctl.conf
vyos@vyos:~$ sudo cat /etc/swanctl/swanctl.conf ### Autogenerated by vpn_ipsec.py ### connections { dmvpn-NHRPVPN-tun100 { proposals = aes256-sha1-modp1024,aes128-sha1-modp1024 version = 2 rekey_time = 3600s keyingtries = 0 local { auth = psk } remote { auth = psk } children { dmvpn { esp_proposals = aes256-sha1-modp1024,3des-md5-modp1024 rekey_time = 1800s rand_time = 540s local_ts = dynamic[gre] remote_ts = dynamic[gre] mode = transport start_action = trap dpd_action = restart } } } } pools { } secrets { ike-dmvpn-tun100 { secret = dmvpn } }
It does not work only in 1.4
I tested it with vyos-1.3.1-S1. DPD parameters are set there.