207
Step Command Remarks
12. Set the subnet types of the
two ends.
• Set the subnet type of the local
end:
local { multi-subnet |
single-subnet }
• Set the subnet type of the peer
end:
peer { multi-subnet |
single-subnet }
Optional.
The default subnet type is
single-subnet
.
Use these two commands only
when the device is working
together with a NetScreen
device.
13. Apply a DPD detector to
the IKE peer.
dpd
dpd-name
Optional.
No DPD detector is applied to an
IKE peer by default.
For more information about DPD
configuration, see "
Configuring
a DPD detector
."
14. Specify an inside VPN
instance.
inside-vpn vpn-instance
vpn-name
By default, no inside VPN
instance is specified. The
internal and external networks
are in the same VPN instance.
The device forwards protected
data to this VPN instance.
NOTE:
After modifying the configuration of an IPsec IKE peer, execute the reset ipsec sa and reset ike sa
commands to clear existing IPsec and IKE SAs. Otherwise, SA re-negotiation will fail.
Setting keepalive timers
IKE maintains the link status of an ISAKMP SA by keepalive packets. Generally, if the peer is
configured with the keepalive timeout, you must configure the keepalive packet transmission interval
on the local end. If the peer receives no keepalive packet during the timeout interval, the ISAKMP SA
is tagged with the TIMEOUT tag (if it does not have the tag), or deleted along with the IPsec SAs it
negotiated (when it has the tag already).
The keepalive timeout configured at the local end must be longer than the keepalive interval
configured at the remote end. Since it seldom occurs that more than three consecutive packets are
lost on a network, the keepalive timeout can be configured to be three times of the keepalive interval.
To set the keepalive timers:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Set the ISAKMP SA
keepalive interval.
ike
sa
keepalive-timer
interval
seconds
No keepalive packet is sent by
default.
3. Set the ISAKMP SA
keepalive timeout.
ike
sa
keepalive-timer
timeout
seconds
No keepalive packet is sent by
default.
Setting the NAT keepalive timer
If IPsec traffic needs to pass through NAT security gateways, you must configure the NAT traversal
function. If no packet travels across an IPsec tunnel in a certain period of time, the NAT mapping
might get aged and be deleted, disabling the tunnel beyond the NAT gateway from transmitting data
To Next Page
Loading...
Need help?
General
