208
to the intended end. To prevent NAT mappings from being aged, an ISAKMP SA behind the NAT
security gateway sends NAT keepalive packets to its peer at a certain interval to keep the NAT
session alive.
To set the NAT keepalive timer:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Set the NAT keepalive
interval.
ike sa nat-keepalive-timer
interval
seconds
20 seconds by default.
Configuring a DPD detector
DPD irregularly detects dead IKE peers. It works as follows:
1. When the local end sends an IPsec packet, it checks the time the last IPsec packet was
received from the peer.
2. If the time interval exceeds the DPD interval, it sends a DPD hello to the peer.
3. If the local end receives no DPD acknowledgement within the DPD packet retransmission
interval, it retransmits the DPD hello.
4. If the local end still receives no DPD acknowledgement after having made the maximum
number of retransmission attempts (two by default), it considers the peer already dead, and
clears the IKE SA and the IPsec SAs based on the IKE SA.
DPD enables an IKE entity to check the liveliness of its peer only when necessary. It generates less
traffic than the keepalive mechanism, which exchanges messages periodically.
To configure a DPD detector:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Create a DPD detector and
enter its view.
ike dpd
dpd-name N/A
3. Set the DPD interval.
interval-time
interval-time
Optional.
10 seconds by default.
4. Set the DPD packet
retransmission interval.
time-out
time-out
Optional.
5 seconds by default.
Disabling next payload field checking
The Next payload field is in the generic payload header of the last payload of the IKE negotiation
message (the message comprises multiple payloads). According to the protocol, this field must be 0
if the payload is the last payload of the packet. However, it might be set to other values on some
brands of devices. For interoperability, disable the checking of this field.
To disable Next payload field checking:
Step Command Remark
1. Enter system view.
system-view
N/A
To Next Page
Loading...
