Managing ipsec tunnels – H3C Technologies H3C Intelligent Management Center User Manual
Page 38
28
The Registration Information Details window appears.
Registration Information Details contents
{
Device Name—Name of the VAM client.
{
Interval (s)—Interval at which the client retransmits the VAM protocol packet when it does not
receive a response from the server, in seconds. A VAM protocol packet can be a connection
request, negotiation acknowledgement, registration request, or authentication request.
{
Username—User name used by the VAM client for authentication.
{
Prim Server Encryption Algorithm—Encryption algorithm used for encrypting authentication
packets that are exchanged between the primary VAM server and client.
{
Prim Server Auth Algorithm—Authentication algorithm used for authenticating connection
requests from the VAM client and authentication responses from the primary VAM server.
{
Prim Server Duration—How long the VAM client has been connected to the primary VAM
server.
{
Sec Server Encryption Algorithm—Encryption algorithm used for encrypting authentication
packets that are exchanged between the secondary VAM server and client.
{
Sec Server Auth Algorithm—Authentication algorithm used for authenticating connection
requests from the VAM client and authentication responses from the secondary VAM server.
{
Sec Server Duration—How long the VAM client has been connected to the secondary VAM
server.
8.
Click Close to close the Registration Information Details window.
Managing IPsec tunnels
An IPsec tunnel is a bidirectional channel created between two peers. IVM periodically synchronizes
IPsec devices to discover the IPsec tunnels established on the devices. The tunnels can be deployed by
IVM, manually configured on the device by operators, or established through automatic negotiation in
the DVPN. The IPsec tunnel can be in Ready state or Disconnected state:
•
Ready state—IPsec tunnels that are established through IPsec SA negotiation, and protected data
can be transmitted in the tunnel.
•
Disconnected state—The lifetime timer of the IPsec SAs has expired, and new SAs failed to be
established due to the lack of protected data flows or failure to receive a SA negotiation response
from the tunnel peer end.
An IPsec SA can be set up manually or through IKE negotiation (ISAKMP). A manually created SA never
ages out. An IKE created SA has a specified lifetime, which can be time-based or traffic-based. IVM only
supports IKE created SAs when deploying IPsec tunnels.
If no traffic that requires IPsec protection is transmitted after the lifetime timer of an IKE-negotiated SA
expires, the system disconnects the IPsec tunnel established between the SAs. With tunnel traps
configured for an IPsec device, the device sends a trap to IVM whenever a tunnel is set up or
disconnected. IVM updates the tunnel status of the device based on the received tunnel traps, and
records the tunnel setup and disconnect history. For more information about setting tunnel traps for a
device, see "
You can query, view, delete, enable or disable monitoring of an IPsec tunnel. You can also query, view,
and export the tunnel event history of an IPsec device.