Setting keepalive timers – H3C Technologies H3C SecPath F1000-E User Manual
Page 171
7
To do…
Use the command…
Remarks
Apply a DPD to the IKE peer
dpd dpd-name
Optional
No DPD is applied to an IKE peer
by default.
For DPD configuration, refer to
.
Note that:
•
After modifying the configuration of an IPsec IKE peer, run the reset ipsec sa and reset ike sa
commands to clear the previous IPsec and IKE SAs. Otherwise, SA re-negotiation will fail.
•
If the IP address of one end of an IPsec tunnel is obtained dynamically, the IKE negotiation mode
must be aggressive.
•
In main mode of pre-shared key authentication, only the ID type of IP address can be used in IKE
negotiation. In aggressive mode, however, either type can be used.
•
An IKE peer uses its configured IKE negotiation mode when it is the negotiation initiator. A
negotiation responder uses the IKE negotiation mode of the initiator.
•
The local-address command is required only when you want to specify a special address (a
loopback interface address, for example) for the local gateway. The remote-name command or the
remote-address command is required for the initiator so that the initiator can find the remote peer
in negotiation.
•
To save IP addresses, ISPs often deploy NAT gateways on public networks so as to allocate private
IP addresses to users. In this case, one end of an IPsec/IKE tunnel may have a public address while
the other end may have a private address, and therefore NAT traversal must be configured at the
both endpoints to set up the tunnel.
•
The remote gateway name configured with remote-name command on the local gateway must be
identical to the local name configured with the local-name command on its peer.
•
The remote IP address configured with the remote-address command on the local gateway must be
identical to the local IP address configured with the local-address command on its peer.
•
The IKE proposals specified in IKE peer view are used when the local peer initiates a negotiation.
When acting as a responder, the local peer uses the IKE proposals configured in system view for
negotiation.
Setting Keepalive Timers
IKE maintains the link status of an ISAKMP SA by keepalive packets. Generally, if the peer is configured
with the keepalive timeout, you need to configure the keepalive packet transmission interval on the local
end. If the peer receives no keepalive packet during the timeout interval, the ISAKMP SA will be tagged
with the TIMEOUT tag (if it does not have the tag), or be deleted along with the IPsec SAs it negotiated
(when it has the tag already).
Follow these steps to set the keepalive timers:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Set the ISAKMP SA keepalive
interval
ike sa keepalive-timer interval
seconds
Required
No keepalive packet is sent by
default.