Setting keepalive timers, Setting the nat keepalive timer – H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 388

374
Step Command
Remarks
11.
Specify the IP addresses of
the remote gateway.
remote-address { hostname
[ dynamic ] | low-ip-address
[ high-ip-address ] }
Optional.
The remote IP address configured
with the remote-address
command on the local gateway
must be identical to the local IP
address configured with the
local-address command on the
peer.
12.
Apply a DPD detector to the
IKE peer.
dpd dpd-name
Optional.
No DPD detector is applied to an
IKE peer by default.
For more information about DPD
configuration, see "
."
NOTE:
After modifying the configuration of an IPsec IKE peer, execute the reset ipsec sa and reset ike sa
commands to clear existing IPsec and IKE SAs. Otherwise, SA re-negotiation will fail.
Setting keepalive timers
IKE maintains the link status of an ISAKMP SA by keepalive packets. Generally, if the peer is configured
with the keepalive timeout, you must configure the keepalive packet transmission interval on the local end.
If the peer receives no keepalive packet during the timeout interval, the ISAKMP SA will be tagged with
the TIMEOUT tag (if it does not have the tag), or be deleted along with the IPsec SAs it negotiated (when
it has the tag already).
To set the keepalive timers:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Set the ISAKMP SA keepalive
interval.
ike sa keepalive-timer interval
seconds
No keepalive packet is sent by
default.
3.
Set the ISAKMP SA keepalive
timeout.
ike sa keepalive-timer timeout
seconds
No keepalive packet is sent by
default.
NOTE:
The keepalive timeout configured at the local end must be longer than the keepalive interval configured at
the remote end. Since it seldom occurs that more than three consecutive packets are lost on a network, the
keepalive timeout can be configured to be three times of the keepalive interval.
Setting the NAT keepalive timer
If IPsec traffic needs to pass through NAT security gateways, you must configure the NAT traversal
function. If no packet travels across an IPsec tunnel in a certain period of time, the NAT mapping may get
aged and be deleted, disabling the tunnel beyond the NAT gateway from transmitting data to the
- H3C WX5500E Series Access Controllers H3C WX3500E Series Access Controllers H3C WX2500E Series Access Controllers H3C WX6000 Series Access Controllers H3C WX5000 Series Access Controllers H3C LSWM1WCM10 Access Controller Module H3C LSUM3WCMD0 Access Controller Module H3C LSUM1WCME0 Access Controller Module H3C LSWM1WCM20 Access Controller Module H3C LSQM1WCMB0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module H3C LSBM1WCM2A0 Access Controller Module H3C WA3600 Series Access Points H3C WA2600 Series WLAN Access Points H3C S10500 Series Switches H3C S5800 Series Switches H3C S5820X Series Switches H3C S12500 Series Switches H3C S9500E Series Switches H3C MSR 5600 H3C MSR 50 H3C MSR 3600 H3C MSR 30 H3C MSR 2600 H3C MSR 20-2X[40] H3C MSR 20-1X H3C MSR 930 H3C MSR 900 H3C SR8800 H3C SR6600-X H3C SR6600 H3C SecPath F5020 H3C SecPath F5040 H3C VMSG VFW1000