Configuring The Ike Keepalive Function; Configuring The Ike Nat Keepalive Function - HP MSR2000 Configuration Manual
Hide thumbs
Also See for MSR2000:
- Configuration manual (455 pages) ,
- Manual (73 pages) ,
- High availability configuration manual (91 pages)
Table of Contents
Advertisement
Step
3.
(Optional.) Configure the
local device to always obtain
the identity information from
the local certificate for
signature authentication.
Configuring the IKE keepalive function
IKE sends keepalive packets to query the liveness of the peer. If the peer is configured with the keepalive
timeout time, you must configure the keepalive interval on the local device. If the peer receives no
keepalive packets during the timeout time, the IKE SA is deleted along with the IPsec SAs it negotiated.
Follow these guidelines when you configure the IKE keepalive function:
Configure IKE DPD instead of the IKE keepalive function unless IKE DPD is not supported on the peer.
•
The IKE keepalive function sends keepalives at regular intervals, which consumes network
bandwidth and resources.
•
The keepalive timeout time configured on the local device must be longer than the keepalive interval
configured at the peer. Since it seldom occurs that more than three consecutive packets are lost on
a network, you can set the keepalive timeout three times as long as the keepalive interval.
To configure the IKE keepalive function:
Step
1.
Enter system view.
2.
Set the IKE SA keepalive
interval.
3.
Set the IKE SA keepalive
timeout time.
Configuring the IKE NAT keepalive function
If IPsec traffic passes through a NAT device, you must configure the NAT traversal function. If no packet
travels across an IPsec tunnel in a period of time, the NAT sessions are aged and deleted, disabling the
tunnel from transmitting data to the intended end. To prevent NAT sessions from being aged, configure
the NAT keepalive function on the IKE gateway behind the NAT device to send NAT keepalive packets
to its peer periodically to keep the NAT session alive.
To configure the IKE NAT keepalive function:
Command
ike signature-identity
from-certificate
Command
system-view
ike keepalive interval seconds
ike keepalive timeout seconds
187
Remarks
By default, the local end uses the
identity information specified by
local-identity or ike identity for
signature authentication.
If the aggressive IKE SA negotiation
mode and signature authentication
are used, configure this command on
the local device when the device
interconnects with a peer device that
runs a Comware V5-based release
supporting only DN for signature
authentication.
Remarks
N/A
By default, no keepalives are sent
to the peer.
By default, IKE SA keepalive never
times out.
Advertisement
Table of Contents
Troubleshooting
