R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101
24
Field Descri
p
tion
Flag
Status of the SA. Possible values include:
• RD (ready)—Indicates that the SA has already been established and is ready for use.
• ST (stayalive)—Indicates that the local end is the tunnel negotiation initiator.
• RL (replaced)—Indicates that the tunnel has been replaced and will be cleared soon.
• FD (fading)—Indicates that the soft lifetime expires but the tunnel is still in use. The
tunnel will be deleted when the hard lifetime expires.
• TO (timeout)—Indicates the SA has received no keepalive packets after the last
keepalive timeout. If no keepalive packets are received before the next keepalive
timeout, the SA will be deleted.
IMPORTANT:
IKE maintains the link status of an ISAKMP SA by keepalive packets. Generally, if the peer
is configured with the keepalive timeout, you must configure the keepalive packet
transmission interval on the local end. If the peer receives no keepalive packet during the
timeout interval, the ISAKMP SA will be tagged with the TIMEOUT tag (if it does not have the
tag), or be deleted along with the IPsec SAs it negotiated (when it has the tag already).
However, web configuration of keepalive packets is not supported.
Domain of
Interpretation
Interpretation domain that the SA belongs to.
Return to IKE configuration task list.
IKE configuration example
Network requirements
• As shown in Figure 22, an IPsec tunnel is established through IKE negotiation between Firewall A
and Firewall B to allow secure communication between Host A and Host B.
• Firewall A is configured with an IKE proposal using the sequence number of 10 and the
authentication algorithm of MD5. Firewall B uses the default IKE proposal.
• The two firewalls use the pre-shared key authentication method.
Figure 22 Network diagram for IKE configuration
Configuration procedure
1. Configure Firewall A
# Configure the IKE peer.
• Select VPN > IKE > Peer from the navigation tree and then click Add.