298
Ste
Command
Remarks
1. Enter system view. system-view N/A
2. Set the NAT keepalive
interval.
ike sa nat-keepalive-timer interval
seconds
20 seconds by default.
Configuring a DPD detector
Dead peer detection (DPD) irregularly detects dead IKE peers. It works as follows:
1. When the local end sends an IPsec packet, it checks the time the last IPsec packet was received
from the peer.
2. If the time interval exceeds the DPD interval, it sends a DPD hello to the peer.
3. If the local end receives no DPD acknowledgement within the DPD packet retransmission interval,
it retransmits the DPD hello.
4. If the local end still receives no DPD acknowledgement after having made the maximum number of
retransmission attempts (two by default), it considers the peer already dead, and clears the IKE SA
and the IPsec SAs based on the IKE SA.
DPD enables an IKE entity to check the liveliness of its peer only when necessary. It generates less traffic
than the keepalive mechanism, which exchanges messages periodically.
To configure a DPD detector:
Ste
Command
Remarks
1. Enter system view.
system-view N/A
2. Create a DPD detector and
enter its view.
ike dpd dpd-name N/A
3. Set the DPD interval. interval-time interval-time
Optional.
10 seconds by default.
4. Set the DPD packet
retransmission interval.
time-out time-out
Optional.
5 seconds by default.
Disabling next payload field checking
The Next payload field is in the generic payload header of the last payload of the IKE negotiation
message (the message comprises multiple payloads). According to the protocol, this field must be 0 if the
payload is the last payload of the packet. However, it may be set to other values on some brands of
devices. For interoperability, disable the checking of this field.
To disable Next payload field checking:
Ste
Command
Remar
Enter system view. system-view N/A
Disable Next payload field
checking.
ike next-payload check disabled
Enabled by default.
To Next Page
Loading...
Need help?
General