Retrying isakmp phase 1 and 2 negotiations, Command changes – Allied Telesis RAPIER I User Manual

Page 171

Software Version 2.8.1

171

Software Version 2.8.1
C613-10477-00 REV B

Further retransmission have a progressively larger delay. The gap between
the second and third retransmissions is 16 seconds, the gap between the
third and fourth retransmissions is 24 seconds, the next gap is 32 seconds,
then 40, 48 and 56 seconds after each retransmission attempt.

After the eighth retransmission, the exchange times out.

Command Changes

The following table summarises the modified commands:

Retrying ISAKMP Phase 1 and 2 Negotiations

This Software Version allows ISAKMP to retry phase 1 and phase 2
negotiations with an ISAKMP peer. Previously the router or switch would only
attempt an ISAKMP negotiation once.

You can now set an ISAKMP policy to retry failed ISAKMP exchanges until
either the connection is established, or the retry limit is reached. To specify the
retry limit for a policy, use the new retryikeattempts parameter in the
commands:

create isakmp policy=name peer={ipv4add|ipv6add|any}

[retryikeattempts={0..16|continuous}] [other parameters]

set isakmp policy=name peer={ipv4add|ipv6add|any}

[retryikeattempts={0..16|continuous}] [other parameters]

The retryikeattempts parameter is only valid when a specific peer IP address is
configured in both the ISAKMP and IPsec policies. This feature is designed for
permanent VPN connections. By default, retryikeattempts is set at 0, and
negotiations are not retried.

ISAKMP retryikeattempts is intended to help re-establish ISAKMP exchanges
when network problems or key exchange errors occur. Specifically, ISAKMP
reattempts exchanges when:

■

the router or switch rejects SA proposals sent by the peer

■

authentication fails during phase 1 or phase 2

■

the exchange times out during phase 1 or phase 2

■

the peer sends a Delete SA notification message for the most recent SA

Command

Change

create isakmp policy

New msgbackoff parameter.