Configuration procedure, Configuring the global identity information, Configuring the ike keepalive function – H3C Technologies H3C S12500-X Series Switches User Manual

158

105B

Configuring the global identity information

Follow these guidelines when you configure the global identity information for the local IKE:

•

The global identity can be used by the device for all IKE SA negotiations, and the local identity (set
by the local-identity command) can be used only by the device that uses the IKE profile.

•

When pre-shared key authentication is used, you cannot set the DN as the identity.

To configure the global identity information:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Configure the global

identity to be used by the
local end.

ike identity { address { ipv4-address |

ipv6 ipv6-address } | dn | fqdn
[ fqdn-name ] | user-fqdn

[ user-fqdn-name ] }

By default, the IP address of the

interface to which the IPsec policy
is applied is used as the IKE

identity.

106B

Configuring the IKE keepalive function

IKE sends keepalive packets to query the liveness of the peer. If the peer is configured with the keepalive

timeout time, you must configure the keepalive interval on the local device. If the peer receives no

keepalive packets during the timeout time, the IKE SA is deleted along with the IPsec SAs it negotiated.
Follow these guidelines when you configure the IKE keepalive function:

•

Configure IKE DPD instead of the IKE keepalive function unless IKE DPD is not supported on the peer.

The IKE keepalive function sends keepalives at regular intervals, which consumes network
bandwidth and resources.

•

The keepalive timeout time configured on the local device must be longer than the keepalive interval
configured at the peer. Since it seldom occurs that more than three consecutive packets are lost on

a network, you can set the keepalive timeout three times as long as the keepalive interval.

To configure the IKE keepalive function:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Set the IKE SA keepalive

interval.

ike keepalive interval seconds

By default, no keepalives are sent
to the peer.

3.

Set the IKE SA keepalive

timeout time.

ike keepalive timeout seconds

By default, IKE SA keepalive never
times out.

107B

Configuring the IKE NAT keepalive function

If IPsec traffic passes through a NAT device, you must configure the NAT traversal function. If no packet
travels across an IPsec tunnel in a period of time, the NAT sessions are aged and deleted, disabling the

tunnel from transmitting data to the intended end. To prevent NAT sessions from being aged, configure