beautypg.com

Ike configuration example, Network requirements – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

Page 855

background image

834

Field

Description

Flag

Status of the SA. Possible values include:

RD—Ready. The SA has already been established and is ready for use.

ST—Stayalive. The local end is the tunnel negotiation initiator.

RL—Replaced. The tunnel has been replaced and will be cleared soon.

FD—Fading. The soft lifetime expires but the tunnel is still in use. The

tunnel will be deleted when the hard lifetime expires.

TO—Timeout. The SA has received no keepalive packets after the last

keepalive timeout. If no keepalive packets are received before the next

keepalive timeout, the SA will be deleted.

IMPORTANT:

IKE maintains the link status of an ISAKMP SA by keepalive packets.

Generally, if the peer is configured with the keepalive timeout, you must

configure the keepalive packet transmission interval on the local end. If the
peer receives no keepalive packet during the timeout interval, the ISAKMP SA

will be tagged with the TIMEOUT tag (if it does not have the tag), or be deleted

along with the IPsec SAs it negotiated (when it has the tag already).

Domain of Interpretation

Interpretation domain to which the SA belongs.

IKE configuration example

Network requirements

As shown in

Figure 609

, configure an IPsec tunnel between AC 1 and AC 2 to protect traffic between

subnet 10.1.1.0/24 and subnet 10.1.2.0/24.
On AC 1, configure an IKE proposal that uses the sequence number 10 and the authentication algorithm

MD5. AC 2 uses the default IKE proposal.
Configure the pre-shared key authentication method.

Figure 888 Network diagram

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: