A Virtual Private Network (VPN) Concentrator typically creates a virtual private network by creating a secure connection across a network that users see as a private connection. The secure connection is often called a tunnel. The VPN Concentrator uses tunneling protocols to negotiate security parameters, create and manage tunnels, encapsulate packets, transmit or receive them through the tunnel, and unencapsulate them. The VPN Concentrator functions as a bidirectional tunnel endpoint. It can receive plain packets, encapsulate them, and send them to the other end of the tunnel where they are unencapsulated and sent to their final destination. It can also receive encapsulated packets, unencapsulate them, and send them to their final destination.
The VPN Concentrator performs the following functions: establishing tunnels; negotiating tunnel parameters; authenticating users; assigning user addresses; encrypting and decrypting data; managing security keys; managing data transfer across the tunnel; managing data transfer inbound and outbound as a tunnel endpoint or router.
When a network controller device serves in a role of VPN concentrator, the network controller device may terminate a huge number of IPSec tunnels, maintain a huge number of Security Policy Databases (SPDs) in datapath, and hold crucial hardware resources, such as a pool of Diffie Hellman (DH) values, till the lifetime of IPSec Security Associations (SAs). Therefore, detecting inactive Internet Key Exchange (IKE) peers at an early stage would allow many resources to be freed and applied to a new set of IKE peers, thereby improving network resource utilization. Nevertheless, the lifetime of IPSec SAs is typically a static configuration. Thus, network controller devices conventionally detect inactivity of client devices or access points that are connected to IPSec tunnels based on a fixed timeout value, which precludes early detection of inactive IKE peers.