335
4. If the local device receives no response after two retries, the device considers the peer to be
dead, and deletes the IKE SA along with the IPsec SAs it negotiated.
5. If the local device receives a response from the peer during the detection process, the peer is
considered alive. The local device performs a DPD detection again when the triggering interval
is reached or it has traffic to send, depending on the DPD mode.
Follow these guidelines when you configure the IKE DPD feature:
• When DPD settings are configured in both IKE profile view and system view, the DPD settings
in IKE profile view apply. If DPD is not configured in IKE profile view, the DPD settings in system
view apply.
• It is a good practice to set the triggering interval longer than the retry interval so that a DPD
detection is not triggered during a DPD retry.
To configure IKE DPD:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enable sending IKE DPD
messages.
ike dpd interval
interval [
retry
seconds ]
{
on-demand
|
periodic
}
By default, IKE DPD is disabled.
Enabling invalid SPI recovery
An IPsec "black hole" occurs when one IPsec peer fails (for example, a peer can fail if a reboot
occurs). One peer fails and loses its SAs with the other peer. When an IPsec peer receives a data
packet for which it cannot find an SA, an invalid SPI is encountered. The peer drops the data packet
and tries to send an SPI invalid notification to the data originator. This notification is sent by using the
IKE SA. Because no IKE SA is available, the notification is not sent. The originating peer continues
sending the data by using the IPsec SA that has the invalid SPI, and the receiving peer keeps
dropping the traffic.
The invalid SPI recovery feature enables the receiving peer to set up an IKE SA with the originator so
that an SPI invalid notification can be sent. Upon receiving the notification, the originating peer
deletes the IPsec SA that has the invalid SPI. If the originator has data to send, new SAs will be set
up.
Use caution when you enable the invalid SPI recovery feature because using this feature can result
in a DoS attack. Attackers can make a great number of invalid SPI notifications to the same peer.
To enable invalid SPI recovery:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enable invalid SPI recovery.
ike invalid-spi-recovery
enable
By default, the invalid SPI recovery
is disabled.
Setting the maximum number of IKE SAs
You can set the maximum number of half-open IKE SAs and the maximum number of established
IKE SAs.
• The supported maximum number of half-open IKE SAs depends on the device's processing
capability. Adjust the maximum number of half-open IKE SAs to make full use of the device's
processing capability without affecting the IKE SA negotiation efficiency.
To Next Page
Loading...
Need help?
General