3Com MSR 50 Series Configuration Manual page 1906

1906 C 101: IKE C
HAPTER ONFIGURATION
To do...
Enable the NAT traversal
function of IPSec/IKE
Configure Set the subnet
the subnet type of the
types of two local end
ends
Set the subnet
type of the
peer end
Apply a DPD to the IKE peer
Note that:
After modifying the configuration of an IPSec IKE peer, you need to run the
■
reset ipsec sa and reset ike sa commands to clear the original IPSec and IKE
SAs. Otherwise, SA re-negotiation will fail.
If the IP address of one end of an IPSec tunnel is obtained dynamically, the IKE
■
negotiation mode must be aggressive.
In main mode of pre-shared key authentication, only the ID type of IP address
■
can be used in IKE negotiation. In aggressive mode, however, either type can
be used.
When one end of an IPSec/IKE tunnel references a policy template, it can be
■
configured with an IKE negotiation mode different from that of the other end.
In this case, it will use the IKE negotiation mode of the negotiation initiator.
When neither of the two ends of an IPSec/IKE tunnel references a policy
template, they must be configured with the same IKE negotiation mode.
The local-address command is required only when you want to specify a
■
special address (a loopback interface address, for example) for the local
gateway.
To save IP addresses, ISPs often deploy NAT gateways on public networks so as
■
to allocate private IP addresses to users. In this case, one end of an IPSec/IKE
tunnel may have a public address while the other end may have a private
address, and therefore NAT traversal must be configured at the private network
side to set up the tunnel.
If the IKE negotiation initiator uses its gateway name for IKE negotiation (that
■
is, the id-type name command is configured on the initiator), it sends the
name as its identity to the peer, whereas the peer uses the gateway name
configured with the remote-name name command to authenticate the
initiator. Therefore, the local gateway name for a device must be identical to
the remote gateway name configured on its peer.
If the IKE negotiation initiator uses an IP address for IKE negotiation (that is, the
■
id-type ip command is configured on the initiator), it sends the IP address as
Use the command...
nat traversal
local { multi-subnet |
single-subnet }
peer { multi-subnet |
single-subnet }
dpd dpd-name
Remarks
Optional
Required when NAT gateway
is present in the VPN tunnel
constructed by IPSec/IKE
Disabled by default
Optional
single-subnet by default
Used only when the device is
interworking with a
NETSCREEN device
Optional
By default, no DPD is applied
to an IKE peer.
For DPD configuration, refer to
"Configuring a DPD" on page
1907.