Configuring The Ike Keepalive Feature; Configuring The Ike Nat Keepalive Feature - HPE FlexNetwork 10500 Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 10500 Series:
- Security command reference (881 pages) ,
- Network management and monitoring command reference (423 pages) ,
- Configuration manual (407 pages)
Table of Contents
Advertisement
Step
2.
Configure the global identity
to be used by the local end.
3.
(Optional.) Configure the
local device to always obtain
the identity information from
the local certificate for
signature authentication.
Configuring the IKE keepalive feature
IKE sends keepalive packets to query the liveness of the peer. If the peer is configured with the
keepalive timeout time, you must configure the keepalive interval on the local device. If the peer
receives no keepalive packets during the timeout time, the IKE SA is deleted along with the IPsec
SAs it negotiated.
Follow these guidelines when you configure the IKE keepalive feature:
•
Configure IKE DPD instead of IKE keepalive unless IKE DPD is not supported on the peer. The
IKE keepalive feature sends keepalives at regular intervals, which consumes network
bandwidth and resources.
•
The keepalive timeout time configured on the local device must be longer than the keepalive
interval configured at the peer. Since it seldom occurs that more than three consecutive packets
are lost on a network, you can set the keepalive timeout three times as long as the keepalive
interval.
To configure the IKE keepalive feature:
Step
1.
Enter system view.
2.
Set the IKE SA keepalive
interval.
3.
Set the IKE SA keepalive
timeout time.
Configuring the IKE NAT keepalive feature
If IPsec traffic passes through a NAT device, you must configure the NAT traversal feature. If no
packet travels across an IPsec tunnel in a period of time, the NAT sessions are aged and deleted,
disabling the tunnel from transmitting data to the intended end. To prevent NAT sessions from being
aged, configure the NAT keepalive feature on the IKE gateway behind the NAT device to send NAT
keepalive packets to its peer periodically to keep the NAT session alive.
To configure the IKE NAT keepalive feature:
Command
ike identity { address
{ ipv4-address | ipv6
ipv6-address } | dn | fqdn
[ fqdn-name ] | user-fqdn
[ user-fqdn-name ] }
ike signature-identity
from-certificate
Command
system-view
ike keepalive interval interval
ike keepalive timeout seconds
365
Remarks
By default, the IP address of the
interface to which the IPsec policy or
IPsec policy template is applied is
used as the IKE identity.
By default, the local end uses the
identity information specified by
local-identity or ike identity for
signature authentication.
Configure this command when the
aggressive mode and signature
authentication are used and the
device interconnects with a Comware
5-based peer device. Comware 5
supports only DN for signature
authentication.
Remarks
N/A
By default, no keepalives are sent
to the peer.
By default, IKE SA keepalive
never times out.
Advertisement
Table of Contents
Troubleshooting
