259
Configuring the IKE NAT keepalive function
If IPsec traffic passes through a NAT device, you must configure the NAT traversal function. If no packet
travels across an IPsec tunnel in a period of time, the NAT sessions are aged and deleted, disabling the
tunnel from transmitting data to the intended end. To prevent NAT sessions from being aged, configure
the NAT keepalive function on the IKE gateway behind the NAT device to send NAT keepalive packets
to its peer periodically to keep the NAT session alive.
To configure the IKE NAT keepalive function:
Ste
Command
Remarks
1. Enter system view.
system-view N/A
2. Set the IKE NAT keepalive
interval.
ike nat-keepalive seconds The default interval is 20 seconds.
Configuring IKE DPD
DPD detects dead peers. It can operate in periodic mode or on-demand mode.
• Periodic DPD—Sends a DPD message at regular intervals. It features an earlier detection of dead
peers, but consumes more bandwidth and CPU.
• On-demand DPD—Sends a DPD message based on traffic. When the device has traffic to send and
is not aware of the liveness of the peer, it sends a DPD message to query the status of the peer. If the
device has no traffic to send, it never sends DPD messages. This mode is recommended.
The IKE DPD works as follows:
1. The local device sends a DPD message to the peer, and waits for a response from the peer.
2. If the peer does not respond within the retry interval specified by the retry seconds parameter, the
local device resends the message.
3. If still no response is received within the retry interval, the local end sends the DPD message again.
The system allows a maximum of two retries.
4. If the local device receives no response after two retries, the device considers the peer to be dead,
and deletes the IKE SA along with the IPsec SAs it negotiated.
5. If the local device receives a response from the peer during the detection process, the peer is
considered alive. The local device performs a DPD detection again when the triggering interval is
reached or it has traffic to send, depending on the DPD mode.
Follow these guidelines when you configure the IKE DPD function:
• When DPD settings are configured in both IKE profile view and system view, the DPD settings in IKE
profile view apply. If DPD is not configured in IKE profile view, the DPD settings in system view apply.
• It is a good practice to set the triggering interval longer than the retry interval so that a DPD
detection is not triggered during a DPD retry.
To configure IKE DPD:
Ste
Command
Remarks
1. Enter system view.
system-view N/A
To Next Page
Loading...
Need help?
General
