Ike configuration example, Network requirements – H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 855
834
Field
Description
Flag
Status of the SA. Possible values include:
•
RD—Ready. The SA has already been established and is ready for use.
•
ST—Stayalive. The local end is the tunnel negotiation initiator.
•
RL—Replaced. The tunnel has been replaced and will be cleared soon.
•
FD—Fading. The soft lifetime expires but the tunnel is still in use. The
tunnel will be deleted when the hard lifetime expires.
•
TO—Timeout. The SA has received no keepalive packets after the last
keepalive timeout. If no keepalive packets are received before the next
keepalive timeout, the SA will be deleted.
IMPORTANT:
IKE maintains the link status of an ISAKMP SA by keepalive packets.
Generally, if the peer is configured with the keepalive timeout, you must
configure the keepalive packet transmission interval on the local end. If the
peer receives no keepalive packet during the timeout interval, the ISAKMP SA
will be tagged with the TIMEOUT tag (if it does not have the tag), or be deleted
along with the IPsec SAs it negotiated (when it has the tag already).
Domain of Interpretation
Interpretation domain to which the SA belongs.
IKE configuration example
Network requirements
As shown in
, configure an IPsec tunnel between AC 1 and AC 2 to protect traffic between
subnet 10.1.1.0/24 and subnet 10.1.2.0/24.
On AC 1, configure an IKE proposal that uses the sequence number 10 and the authentication algorithm
MD5. AC 2 uses the default IKE proposal.
Configure the pre-shared key authentication method.
Figure 888 Network diagram