Setting the nat keepalive timer, Configuring a dpd – H3C Technologies H3C SecPath F1000-E User Manual
Page 172
8
To do…
Use the command…
Remarks
Set the ISAKMP SA keepalive
timeout
ike sa keepalive-timer timeout
seconds
Required
No keepalive packet is sent by
default.
NOTE:
The keepalive timeout configured at the local end must be longer than the keepalive interval configured at
the remote end. Since it seldom occurs that more than three consecutive packets are lost on a network, the
keepalive timeout can be configured to be three times of the keepalive interval.
Setting the NAT Keepalive Timer
If there are NAT security gateways along a VPN tunnel established by IPsec/IKE, you need to configure
the NAT traversal function. If no packet travels across an IPsec tunnel in a certain period of time, the NAT
mapping may get aged and be deleted, disabling the tunnel beyond the NAT gateway from transmitting
data to the intended end. To prevent NAT mappings from being aged, an ISAKMP SA behind the NAT
security gateway sends NAT keepalive packets to its peer at a certain interval to keep the NAT session
alive.
Follow these steps to set the NAT keepalive timer:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Set the NAT keepalive interval
ike sa nat-keepalive-timer interval
seconds
Required
20 seconds by default
Configuring a DPD
Dead peer detection (DPD) is used for detecting the status of IPsec peers. With the DPD function enabled,
if an end receives no IPsec protected packets from its peer in the DPD query triggering interval, it sends
a request to the peer to detect whether the IKE peer exists.
The difference between DPD and keepalive is that keepalive sends query packets periodically, whereas
DPD sends a query packet only when an encrypted packet is to be sent and the DPD query triggering
interval expires.
Following these steps to configure a DPD:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Create a DPD and enter its view
ike dpd dpd-name Required
Set the DPD query triggering
interval
interval-time interval-time
Optional
10 seconds by default
Set the DPD packet retransmission
interval
time-out time-out
Optional
5 seconds by default