Setting keepalive timers, Setting the nat keepalive timer, Configuring a dpd detector – H3C Technologies H3C SecPath F1000-E User Manual

139

Setting keepalive timers

IKE maintains the link status of an ISAKMP SA by keepalive packets. Generally, if the peer is configured

with the keepalive timeout, you need to configure the keepalive packet transmission interval on the local

end. If the peer receives no keepalive packet during the timeout interval, the ISAKMP SA will be tagged
with the TIMEOUT tag (if it does not have the tag), or be deleted along with the IPsec SAs it negotiated

(when it has the tag already).
To set the keepalive timers:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Set the ISAKMP SA keepalive

interval.

ike sa keepalive-timer interval
seconds

No keepalive packet is sent by
default.

3.

Set the ISAKMP SA keepalive

timeout.

ike sa keepalive-timer timeout
seconds

No keepalive packet is sent by
default.

NOTE:

The keepalive timeout configured at the local end must be longer than the keepalive interval configured at
the remote end. Since it seldom occurs that more than three consecutive packets are lost on a network, the
keepalive timeout can be configured to be three times of the keepalive interval.

Setting the NAT keepalive timer

If IPsec traffic needs to pass through NAT security gateways, you need to configure the NAT traversal

function. If no packet travels across an IPsec tunnel in a certain period of time, the NAT mapping may get
aged and be deleted, disabling the tunnel beyond the NAT gateway from transmitting data to the

intended end. To prevent NAT mappings from being aged, an ISAKMP SA behind the NAT security

gateway sends NAT keepalive packets to its peer at a certain interval to keep the NAT session alive.
To set the NAT keepalive timer:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Set the NAT keepalive
interval.

ike sa nat-keepalive-timer interval
seconds

The default NAT keepalive interval
is 20 seconds.

Configuring a DPD detector

Dead peer detection (DPD) irregularly detects dead IKE peers. It works as follows:

1.

When the local end sends an IPsec packet, it checks the time the last IPsec packet was received
from the peer.

2.

If the time interval exceeds the DPD interval, it sends a DPD hello to the peer.

3.

If the local end receives no DPD acknowledgement within the DPD packet retransmission interval,
it retransmits the DPD hello.