For detecting dead tunnels on an IPsec VPN, which DPD mode sends probes only when there’s outbound traffic but no response?

The correct choice is B, On Demand. This mode is specifically designed to send Dead Peer Detection (DPD) probes in situations where there is outbound traffic but no response from the peer. This is particularly useful in managing bandwidth, as it avoids unnecessary probing when no traffic is being exchanged. By triggering probes only when there is active communication, the On Demand mode helps maintain efficient utilization of network resources while still ensuring that the VPN connection is monitored for liveness.

In contrast, Continuous mode regularly sends probes at predetermined intervals regardless of traffic, potentially resulting in unnecessary overhead when the connection is still active. Always mode sends probes persistently, which can lead to excessive traffic regardless of the actual activity on the tunnel. Never mode disables DPD altogether, missing the opportunity to detect and react to tunnel failures. Each of these modes serves its purpose, but On Demand strikes a balance by monitoring tunnel health selectively, ensuring that it conserves resources while maintaining connection integrity when active data traffic is present.