Configuring The Ike Keepalive Function - HP 5920 Series Configuration Manual
Hide thumbs
Also See for 5920 Series:
- Command reference manual (607 pages) ,
- Configuration manual (322 pages) ,
- Fc and fcoe configuration manual (257 pages)
Table of Contents
Advertisement
When pre-shared key authentication is used, you cannot set the DN as the identity.
•
To configure the global identity information:
Step
1.
Enter system view.
2.
Configure the global identity
to be used by the local end.
3.
(Optional.) Configure the
local device to always obtain
the identity information from
the local certificate for
signature authentication.
Configuring the IKE keepalive function
IKE sends keepalive packets to query the liveness of the peer. If the peer is configured with the keepalive
timeout time, you must configure the keepalive interval on the local device. If the peer receives no
keepalive packets during the timeout time, the IKE SA is deleted along with the IPsec SAs it negotiated.
Follow these guidelines when you configure the IKE keepalive function:
•
Configure IKE DPD instead of the IKE keepalive function unless IKE DPD is not supported on the peer.
The IKE keepalive function sends keepalives at regular intervals, which consumes network
bandwidth and resources.
The keepalive timeout time configured on the local device must be longer than the keepalive interval
•
configured at the peer. Since it seldom occurs that more than three consecutive packets are lost on
a network, you can set the keepalive timeout three times as long as the keepalive interval.
To configure the IKE keepalive function:
Step
1.
Enter system view.
2.
Set the IKE SA keepalive
interval.
3.
Set the IKE SA keepalive
timeout time.
Command
system-view
ike identity { address
{ ipv4-address | ipv6
ipv6-address } | dn | fqdn
[ fqdn-name ] | user-fqdn
[ user-fqdn-name ] }
ike signature-identity
from-certificate
Command
system-view
ike keepalive interval seconds
ike keepalive timeout seconds
258
Remarks
N/A
By default, the IP address of the
interface to which the IPsec policy or
IPsec policy template is applied is used
as the IKE identity.
By default, the local end uses the
identity information specified by
local-identity or ike identity for
signature authentication.
Configure this command on the local
device when the following conditions
exist:
•
If the aggressive IKE SA
negotiation mode and signature
authentication are used.
•
When the device interconnects
with a peer device that runs a
Comware V5-based release
supporting only DN for signature
authentication.
Remarks
N/A
By default, no keepalives are sent
to the peer.
By default, IKE SA keepalive never
times out.
- Quick Links:
- Configuration Guide
- Configuring Local Users
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
