Setting Keepalive Timers - HP A6600 Configuration Manual

To do...
10. Enable the NAT traversal function
for IPsec/IKE.
11. Set the
subnet
types of
the two
ends.
12. Apply a DPD detector to the IKE
peer.
NOTE:
After modifying the configuration of an IPsec IKE peer, execute reset ipsec sa and reset ike sa to clear
existing IPsec and IKE SAs. Otherwise, SA re-negotiation fails.

Setting keepalive timers

IKE maintains the link status of an ISAKMP SA by keepalive packets. Generally, if the peer is configured
with the keepalive timeout, you must configure the keepalive packet transmission interval on the local
end. If the peer receives no keepalive packet during the timeout interval, the ISAKMP SA is tagged with
the TIMEOUT tag (if it does not have the tag) or is deleted along with the IPsec SAs it negotiated (when it
has the tag already).
To set the keepalive timers:
To do...
Enter system view.
1.
2. Set the ISAKMP SA keepalive
interval.
3. Set the ISAKMP SA keepalive
timeout.
NOTE:
The keepalive timeout configured at the local end must be longer than the keepalive interval configured
at the remote end. Since it seldom occurs that more than three consecutive packets are lost on a
network, the keepalive timeout can be configured to be three times the keepalive interval.
Command...
nat traversal
Set the subnet type local { multi-subnet | single-
of the local end. subnet }
Set the subnet type peer { multi-subnet | single-
of the peer end. subnet }
dpd dpd-name
Command...
system-view
ike sa keepalive-timer
interval seconds
ike sa keepalive-timer
timeout seconds
Remarks
Optional.
Required when a NAT gateway is
present in the VPN tunnel
constructed by IPsec/IKE.
Disabled by default.
Optional.
single-subnet by default.
Used only when the router is
working together with a
NetScreen device.
Optional.
No DPD detector is applied to an
IKE peer by default.
For more information, see
"Configuring a DPD
Remarks
—
Required.
No keepalive packet is sent by default.
Required
No keepalive packet is sent by default.
292
detector."