Viewing ike sas – H3C Technologies H3C SecPath F1000-E User Manual
Page 143
131
Item
Description
Enable the NAT traversal
function
Enable the NAT traversal function for IPsec/IKE.
The NAT traversal function must be enabled if a NAT security gateway exists in
an IPsec/IKE VPN tunnel.
In main negotiation mode, IKE does not support NAT traversal and this field is
grayed out.
In FIPS mode, the IKE negotiation must use the main mode and you must
configure NAT traversal at the CLI.
IMPORTANT:
To save IP addresses, ISPs often deploy NAT gateways on public networks to
allocate private IP addresses to users. In this case, one end of an IPsec/IKE tunnel
may have a public address while the other end may have a private address, and
NAT traversal must be configured at the private network side to set up the tunnel.
Viewing IKE SAs
Select VPN > IKE > IKE SA from the navigation tree to display brief information about established
. You can click Delete All to remove all ISAKMP SAs. When you clear
a local IPsec SA, if the corresponding ISAKMP SA is still present, the local end will send a Delete
Message to the remote end across the ISAKMP SA, notifying the remote end to delete the IPsec SA. If the
corresponding ISAKMP SA is no longer present, the local end cannot notify the remote end to clear the
IPsec SA.
Figure 89 IKE SA list
Table 9 Field description
Field
Description
Connection ID
Identifier of the ISAKMP SA.
Remote IP Address
Remote IP address of the SA.
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS