Configuring global ipsec settings for a device, Configuration guidelines, Configuration procedure – H3C Technologies H3C Intelligent Management Center User Manual

26

5.

Configure the following parameters:

{

Slot Number—This field displays the slot number of the encryption card. For example, 3/0
indicates that the encryption card is installed on slot 3, and the encryption card interface is
interface encrypt 3/0.

{

Status—Select the state of the encryption card: Enable or Disable.

{

Enable Encryption Engine—Enable (Yes) or disable (No) the encryption engine.

{

Failover to CPU or Encryption Engine—Enable (Yes) or disable (No) failover to CPU or
encryption engine.

6.

Click OK.
IVM immediately deploys the configuration to the device.

Configuring global IPsec settings for a device

You can set the global ISAKMP keepalive timers and the IPsec SA lifetime for an IPsec device.

•

ISAKMP SA keepalive timers—IKE maintains the link status of an ISAKMP SA by keepalive packets.
Two timers are defined for the keepalive packets: the keepalive timeout timer and the keepalive
interval.
The keepalive timeout time configured at the local end must be longer than the keepalive interval
configured at the remote end. The keepalive timeout is typically configured to be three times that

of the keepalive interval, because consecutive packet loss seldom occurs more than three times.

•

IPsec SA lifetime—A manually configured IPsec SA never age out. An IKE created IPsec SA has a
lifetime. The SA becomes invalid when its lifetime timer expires. Before the SA expires, IKE

negotiates a new SA, which takes over immediately after creation. IVM supports IKE-negotiated SAs
only, and does not allow manual setup of SAs.

Configuration guidelines

•

When negotiating an IPsec SA on an interface, IKE preferentially adopts the lifetime settings

defined in the IPsec proposal applied to the interface. If the proposal does not contain any SA

lifetime setting, IKE uses the global lifetime settings for negotiation.

•

The IKE keepalive timers can only be configured in the global settings. You cannot configure the

keepalive timers in an IKE proposal.

Configuration procedure

1.

Click the Service tab.

2.

From the navigation tree, select IPsec VPN Manager > IPsec Resources > IPsec Devices.
The IPsec Device List displays all IPsec devices.

3.

Click the Operation icon

of the device for which you want to configure global IPsec settings.

4.

Select Global Setup from the shortcut menu.
The Global Setup page appears.

5.

Select the Configure Keepalive Settings option, and configure the following keepalive timers:

{

Keepalive Timeout Timer (sec)—Specify the timeout time for the keepalive packets, in seconds.

{

Keepalive Timer (sec)—Specify the interval at which the device sends keepalive packets to the
peer, in seconds.

6.

Select the Set IPsec SA Lifetime option, and specify the traffic-based lifetime and time-based
lifetime for the SA: