Exactly. For DPD to work, you should have a version more that 12.2(8)T. I am not very sure how the same command works for both. But I believe the developers have changed the code in 12.2(8)T and above so that the underlying keepalive concept remains transparent. With regular keepalives, the interested party had to wait for some 'n' number of tries before assuming the peer is dead but DPD accelerates this process by having user-configurable retries.
What you can do practically is issue "debug crypto isa" on the router and see the logg messages generated using "show logg". You'll DPD/R_U_THERE and DPD/R_U_THERE_ACK messages in the logs. This should convince you that DPD is working properly. I have seen this during keepalive configuration in my lab.
This DPD is largely implementation specific. The DPD timer may mean 2 things here. Either one can wait for duration to hear for any inbound traffic from the peer or can tell how long to wait before considering an IKE session idle. In the latter case, a peer can initiate a DPD exchange if there is some traffic to be sent out (i.e., after an session is idle). Thatz why I felt its implementation specific. For eg: if is 10 seconds, then one implementation could wait for 10 seconds to see for any inbound traffic from the peer (to initiate a DPD exchange); an other implementation could consider 10 seconds as duration beyond which the session is considered idle. In this case, if there are some outbound traffic that needs to be sent, say after 200 seconds (190 secs in idle period), the interested party can initiate a DPD exchange. The whole idea is to reduce the number of IKE messages.
I verified the command and found this link. It contains a host of crypto commands.
http://www.cisco.com/en/US/netsol/ns110/ns170/ns172/ns334/networking_solutions_design_guide_chapter09186a008017e279.html#45000
Feel free to let me know if my understanding is wrong.
Naveen
mnaveen@cisco.com
