Disabling next payload field checking, Displaying and maintaining ike – H3C Technologies H3C SecPath F1000-E User Manual
Page 152
140
4.
If the local end still receives no DPD acknowledgement after having made the maximum number of
retransmission attempts (two by default), it considers the peer already dead, and clears the IKE SA
and the IPsec SAs based on the IKE SA.
DPD enables an IKE entity to check the liveliness of its peer only when necessary. It generates less traffic
than the keepalive mechanism, which exchanges messages periodically.
To configure a DPD detector:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Create a DPD detector and
enter its view.
ike dpd dpd-name N/A
3.
Set the DPD interval.
interval-time
interval-time
Optional.
The default DPD interval is 10 seconds.
4.
Set the DPD packet
retransmission interval.
time-out time-out
Optional.
The default DPD packet retransmission
interval is 5 seconds.
Disabling next payload field checking
The Next payload field is in the generic payload header of the last payload of the IKE negotiation
message (the message comprises multiple payloads). According to the protocol, this field must be 0 if the
payload is the last payload of the packet. However, it may be set to other values on some brands of
devices. For interoperability, disable the checking of this field.
To disable Next payload field checking:
Step Command
Remark
1.
Enter system view.
system-view
N/A
2.
Disable Next payload field
checking.
ike next-payload check disabled
Enabled by default.
Displaying and maintaining IKE
Task Command
Remarks
Display IKE DPD information.
display ike dpd [ dpd-name ] [ | { begin |
exclude | include } regular-expression ]
Available in any view
Display IKE peer information.
display ike peer [ peer-name ] [ | { begin |
exclude | include } regular-expression ]
Available in any view
Display IKE SA information.
display ike sa [ verbose [ connection-id
connection-id | remote-address
remote-address ] ] [ | { begin | exclude |
include } regular-expression ]
Available in any view
Display IKE proposal information.
display ike proposal [ | { begin | exclude |
include } regular-expression ]
Available in any view
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS