Ike configuration example in the web interface, Network requirements – H3C Technologies H3C SecPath F1000-E User Manual

132

Field

Description

Flag

Status of the SA. Possible values include:

•

RD (ready)—Indicates that the SA has already been established and is ready for

use.

•

ST (stayalive)—Indicates that the local end is the tunnel negotiation initiator.

•

RL (replaced)—Indicates that the tunnel has been replaced and will be cleared

soon.

•

FD (fading)—Indicates that the soft lifetime expires but the tunnel is still in use. The
tunnel will be deleted when the hard lifetime expires.

•

TO (timeout)—Indicates the SA has received no keepalive packets after the last

keepalive timeout. If no keepalive packets are received before the next keepalive
timeout, the SA will be deleted.

IMPORTANT:

IKE maintains the link status of an ISAKMP SA by keepalive packets. Generally, if the

peer is configured with the keepalive timeout, you must configure the keepalive packet

transmission interval on the local end. If the peer receives no keepalive packet during

the timeout interval, the ISAKMP SA will be tagged with the TIMEOUT tag (if it does not
have the tag), or be deleted along with the IPsec SAs it negotiated (when it has the tag

already).

Domain of Interpretation Interpretation domain to which the SA belongs.

IKE configuration example in the Web interface

In this example, either Device A or Device B is the SecPath firewall.

Network requirements

As shown in

Figure 90

, configure an IPsec tunnel that uses IKE negotiation between the security gateways

Device A and Device B to allow secure communication between Host A and Host B.
For Device A, configure an IKE proposal that uses the sequence number 10 and the authentication

algorithm MD5. Leave Device B with only the default IKE proposal. Configure the two devices to use the

pre-shared key authentication method.

Figure 90 Network diagram