beautypg.com

Configuring the ike keepalive function – H3C Technologies H3C S6300 Series Switches User Manual

Page 270

background image

255

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Configure the global identity
to be used by the local end.

ike identity { address
{ ipv4-address | ipv6

ipv6-address } | dn | fqdn

[ fqdn-name ] | user-fqdn
[ user-fqdn-name ] }

By default, the IP address of the
interface to which the IPsec policy or
IPsec policy template is applied is used

as the IKE identity.

3.

(Optional.) Configure the
local device to always obtain

the identity information from
the local certificate for

signature authentication.

ike signature-identity
from-certificate

By default, the local end uses the
identity information specified by

local-identity or ike identity for

signature authentication.
Configure this command on the local

device when the following conditions
exist:

If the aggressive IKE SA
negotiation mode and signature

authentication are used.

When the device interconnects
with a peer device that runs a

Comware V5-based release

supporting only DN for signature

authentication.

Configuring the IKE keepalive function

IKE sends keepalive packets to query the liveness of the peer. If the peer is configured with the keepalive

timeout time, you must configure the keepalive interval on the local device. If the peer receives no

keepalive packets during the timeout time, the IKE SA is deleted along with the IPsec SAs it negotiated.
Follow these guidelines when you configure the IKE keepalive function:

Configure IKE DPD instead of the IKE keepalive function unless IKE DPD is not supported on the peer.
The IKE keepalive function sends keepalives at regular intervals, which consumes network

bandwidth and resources.

The keepalive timeout time configured on the local device must be longer than the keepalive interval
configured at the peer. Since it seldom occurs that more than three consecutive packets are lost on

a network, you can set the keepalive timeout three times as long as the keepalive interval.

To configure the IKE keepalive function:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Set the IKE SA keepalive
interval.

ike keepalive interval seconds

By default, no keepalives are sent
to the peer.

3.

Set the IKE SA keepalive
timeout time.

ike keepalive timeout seconds

By default, IKE SA keepalive never
times out.

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: