R3303-HP HSR6800 Routers Security Configuration Guide
293
NOTE:
A
fter modifyin
g
the confi
g
uration of an IPsec IKE peer, execute the reset ipsec sa and reset ike sa
commands to clear existing IPsec and IKE SAs. Otherwise, SA re-negotiation will fail.
Setting keepalive timers
IKE maintains the link status of an ISAKMP SA by keepalive packets. Generally, if the peer is configured
with the keepalive timeout, you must configure the keepalive packet transmission interval on the local end.
If the peer receives no keepalive packet during the timeout interval, the ISAKMP SA is tagged with the
TIMEOUT tag (if it does not have the tag), or deleted along with the IPsec SAs it negotiated (when it has
the tag already).
The keepalive timeout configured at the local end must be longer than the keepalive interval configured
at the remote end. Since it seldom occurs that more than three consecutive packets are lost on a network,
the keepalive timeout can be configured to be three times of the keepalive interval.
To set the keepalive timers:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Set the ISAKMP SA keepalive
interval.
ike sa keepalive-timer interval
seconds
No keepalive packet is sent by
default.
3. Set the ISAKMP SA keepalive
timeout.
ike sa keepalive-timer timeout
seconds
No keepalive packet is sent by
default.
Setting the NAT keepalive timer
If IPsec traffic needs to pass through NAT security gateways, you must configure the NAT traversal
function. If no packet travels across an IPsec tunnel in a certain period of time, the NAT mapping might
get aged and be deleted, disabling the tunnel beyond the NAT gateway from transmitting data to the
intended end. To prevent NAT mappings from being aged, an ISAKMP SA behind the NAT security
gateway sends NAT keepalive packets to its peer at a certain interval to keep the NAT session alive.
To set the NAT keepalive timer:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Set the NAT keepalive
interval.
ike sa nat-keepalive-timer interval
seconds
20 seconds by default.
Configuring a DPD detector
DPD irregularly detects dead IKE peers. It works as follows:
1. When the local end sends an IPsec packet, it checks the time the last IPsec packet was received
from the peer.