Configuring The Ike Keepalive Function; Configuring The Ike Nat Keepalive Function - HPE FlexFabric 7900 Series Security Configuration Manual
Hide thumbs
Also See for FlexFabric 7900 Series:
- Layer 3 ip routing command reference (414 pages) ,
- Security configuration manual (323 pages) ,
- Security command reference (320 pages)
Table of Contents
Advertisement
Step
2.
Configure the global
identity to be used by the
local end.
3.
(Optional.) Configure the
local device to always
obtain the identity
information from the local
certificate for signature
authentication.
Configuring the IKE keepalive function
IKE sends keepalive packets to query the liveness of the peer. If the peer is configured with the
keepalive timeout time, you must configure the keepalive interval on the local device. If the peer
receives no keepalive packets during the timeout time, the IKE SA is deleted along with the IPsec
SAs it negotiated.
Follow these guidelines when you configure the IKE keepalive function:
•
Configure IKE DPD instead of the IKE keepalive function unless IKE DPD is not supported on
the peer. The IKE keepalive function sends keepalives at regular intervals, which consumes
network bandwidth and resources.
•
The keepalive timeout time configured on the local device must be longer than the keepalive
interval configured at the peer. Since it seldom occurs that more than three consecutive packets
are lost on a network, you can set the keepalive timeout three times as long as the keepalive
interval.
To configure the IKE keepalive function:
Step
1.
Enter system view.
2.
Set the IKE SA keepalive
interval.
3.
Set the IKE SA keepalive
timeout time.
Configuring the IKE NAT keepalive function
If IPsec traffic passes through a NAT device, you must configure the NAT traversal function. If no
packet travels across an IPsec tunnel in a period of time, the NAT sessions are aged and deleted,
disabling the tunnel from transmitting data to the intended end. To prevent NAT sessions from being
aged, configure the NAT keepalive function on the IKE gateway behind the NAT device to send NAT
keepalive packets to its peer periodically to keep the NAT session alive.
To configure the IKE NAT keepalive function:
Command
ike identity { address ipv4-address |
dn | fqdn [ fqdn-name ] | user-fqdn
[ user-fqdn-name ] }
ike signature-identity
from-certificate
Command
system-view
ike keepalive interval seconds
ike keepalive timeout seconds
132
Remarks
By default, the IP address of the
interface to which the IPsec
policy is applied is used as the
IKE identity.
By default, the local end uses the
identity information specified by
local-identity or ike identity for
signature authentication.
Configure this command when
the aggressive mode and
signature authentication are
used and the device
interconnects with a Comware
V5-based peer device. Comware
V5 supports only DN for
signature authentication.
Remarks
N/A
By default, no keepalives are sent
to the peer.
By default, IKE SA keepalive
never times out.
Advertisement
Table of Contents
Troubleshooting
