Viewing ike sas – H3C Technologies H3C SecPath F1000-E User Manual

Page 143

131

Item

Description

Enable the NAT traversal
function

Enable the NAT traversal function for IPsec/IKE.
The NAT traversal function must be enabled if a NAT security gateway exists in

an IPsec/IKE VPN tunnel.
In main negotiation mode, IKE does not support NAT traversal and this field is
grayed out.
In FIPS mode, the IKE negotiation must use the main mode and you must
configure NAT traversal at the CLI.

IMPORTANT:

To save IP addresses, ISPs often deploy NAT gateways on public networks to

allocate private IP addresses to users. In this case, one end of an IPsec/IKE tunnel

may have a public address while the other end may have a private address, and
NAT traversal must be configured at the private network side to set up the tunnel.

Viewing IKE SAs

Select VPN > IKE > IKE SA from the navigation tree to display brief information about established

ISAKMP SAs, as shown in

Figure 89

. You can click Delete All to remove all ISAKMP SAs. When you clear

a local IPsec SA, if the corresponding ISAKMP SA is still present, the local end will send a Delete

Message to the remote end across the ISAKMP SA, notifying the remote end to delete the IPsec SA. If the

corresponding ISAKMP SA is no longer present, the local end cannot notify the remote end to clear the

IPsec SA.

Figure 89 IKE SA list

Table 9 Field description

Field

Description

Connection ID

Identifier of the ISAKMP SA.

Remote IP Address

Remote IP address of the SA.

This manual is related to the following products:

H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS