# IPsec：对等体203.0.113.10的死对等体检测（DPD）超时，正在删除安全关联

- **ID:** `networking/ipsec-dpd-timeout`
- **领域:** networking
- **类别:** protocol_error
- **验证级别:** ai_generated
- **修复率:** 80%

## 根因

IPsec端点在配置的超时间隔内未收到远程对等体的DPD保活响应，表明对等体不可达或隧道中断，导致安全关联（SA）被拆除。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| strongSwan 5.9-6.0 | active | — | — |
| Libreswan 4.10-5.0 | active | — | — |
| Cisco ASA 9.16-9.20 | active | — | — |
| pfSense 2.7-2.8 | active | — | — |
| AWS VPN 2024 | active | — | — |

## 解决方案

1. ```
   Check connectivity to the peer: `ping 203.0.113.10` and `traceroute 203.0.113.10` to confirm network path. Then verify firewall rules allow UDP 500 and 4500. On strongSwan, run `ipsec statusall` to see SA state.
   ```
2. ```
   Restart the IPsec service after ensuring connectivity: on strongSwan, `systemctl restart strongswan-starter`; on Cisco ASA, `clear crypto ipsec sa peer 203.0.113.10`.
   ```
3. ```
   Adjust DPD settings: on strongSwan, set `dpd_delay=10s` and `dpd_timeout=30s` in ipsec.conf to detect failures faster; on Cisco, use `crypto isakmp keepalive 10 3`.
   ```

## 无效尝试

- **Increasing DPD timeout to a very high value (e.g., 300 seconds) to suppress the error** — This only masks the problem; if the peer is truly down, the tunnel will remain stale for longer, and failover or reconnection is delayed. (75% 失败率)
- **Restarting the IPsec service without checking network connectivity** — The root cause (e.g., firewall blocking UDP 500/4500, NAT traversal issue, or peer crash) is not addressed, so the timeout reoccurs shortly after restart. (80% 失败率)
- **Disabling DPD entirely** — Without DPD, the tunnel may appear up while the peer is dead, causing traffic blackholing; this is a security and reliability risk. (90% 失败率)