H3C Technologies H3C WX3000E Series Wireless Switches User Manual

826

Step Remarks

2. Configuring an IKE

proposal

Required when IKE peers need to specify an IKE proposal.
An IKE proposal defines a set of attributes describing how IKE negotiation

should take place. You may create multiple IKE proposals with different
preferences. The preference of an IKE proposal is represented by its

sequence number, and the smaller the sequence number, the higher the

preference.
Two peers must have at least one pair of matched IKE proposals for
successful IKE negotiation. During IKE negotiation, the negotiation initiator

sends its IKE proposals to the peer. The peer will match the IKE proposals

against its own IKE proposals, starting with the one with the smallest

sequence number. The match goes on until a match is found or all IKE
proposals are found mismatched. The matched IKE proposals will be used to

establish the security tunnel.
Two matched IKE proposals have the same encryption algorithm,

authentication method, authentication algorithm, and DH group. The
ISAKMP SA lifetime will take the smaller one of the two matched IKE

proposals.
By default, there is an IKE proposal, which has the lowest preference and

uses these default settings:

•

Pre-shared key authentication method.

•

SHA authentication algorithm.

•

DES-CBC encryption algorithm.

•

DH group named Group1.

•

SA lifetime of 86400 seconds.

3. Configuring IKE DPD

Optional.
DPD irregularly detects dead IKE peers. When the local end sends an IPsec

packet, DPD checks the time the last IPsec packet was received from the peer.
If the time exceeds the DPD interval, it sends a DPD hello to the peer. If the

local end receives no DPD acknowledgement within the DPD packet

retransmission interval, it retransmits the DPD hello. If the local end still
receives no DPD acknowledgement after having made the maximum number

of retransmission attempts (two by default), it considers the peer already

dead, and clears the IKE SA and the IPsec SAs based on the IKE SA.

4. Configuring an IKE peer

Required.
Create an IKE peer and configure the related parameters.

IMPORTANT:

If you change the settings of an IKE peer, make sure you clear the established

IPsec SAs and ISAKMP SAs on the pages displayed after you select VPN >

IKE > IKE SA and select VPN > IPSec > IPSec SA, respectively. Otherwise, SA

renegotiation will fail.

5. Viewing IKE SAs

Optional.
View the summary information of the current ISAKMP SA.