Table of Contents
Advertisement
S9700 Core Routing Switch
Configuration Guide - SPU
You can set the lifetime only for the SAs established through IKE negotiation. The lifetime of
manually created SAs is not limited. That is, the manually created SAs are always effective.
If the SA lifetime is not set in an IPSec policy, the global lifetime is used.
The new global lifetime does not affect the IPSec policies that have their own lifetime or the
SAs that have been established. The new global lifetime will be used to establish new SAs during
IKE negotiation.
Step 3 Run:
ike heartbeat-timer interval interval
The interval for sending heartbeat packets is set.
Step 4 Run:
ike heartbeat-timer timeout interval
The timeout interval of heartbeat packets is set.
If the interval for sending heartbeat packets is set on one end, the timeout interval of heartbeat
packets must be set on the other end.
On a network, packet loss rarely occurs consecutively more than three times. Therefore, the
timeout interval of heartbeat packets on one end can be set to three times the interval for sending
heartbeat packets on the other end.
Step 5 Run:
ike nat-keepalive-timer interval interval
The interval for sending NAT keepalive packets is set.
Step 6 Run:
ipsec anti-replay { enable | disable }
The anti-replay function is set.
Step 7 Run:
ike peer
The IKE peer view is displayed.
Step 8 Run:
local-address address
The IP address of the local end is configured.
Step 9 Run following commands to configure the dead peer detection (DPD) function.
l
l
l
Issue 01 (2012-03-15)
Run:
dpd { idle-time seconds | retransmit-interval seconds | retry-limit times }
The idle time for DPD, retransmission interval of DPD packets, and maximum number of
retransmissions are set.
Run:
dpd msg { seq-hash-notify | seq-notify-hash }
The sequence of payload in DPD packets is configured.
Run:
dpd type { on-demand | periodic }
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
4 IPSec Configuration
128
Advertisement
Table of Contents
