R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101
29
To do… Use the command…
Remarks
Configure the
name of the
remote security
gateway
remote-name name
Optional
By default, it is the primary IP
address of the interface
referencing the security policy.
The remote IP address configured
with the remote-address command
on the local gateway must be
identical to the local IP address
configured with the local-address
command on the peer.
Configure the IP
addresses of the
two ends
Specify an IP
address for the
local gateway
local-address ip-address
Optional
By default, it is the primary IP
address of the interface
referencing the security policy.
The remote IP address configured
with the remote-address command
on the local gateway must be
identical to the local IP address
configured with the local-address
command on the peer.
Configure the IP
addresses of the
remote
gateway
remote-address { hostname
[ dynamic ] | low-ip-address
[ high-ip-address ] }
Enable the NAT traversal function
for IPsec/IKE
nat traversal
Optional
Required when a NAT gateway is
present in the VPN tunnel
constructed by IPsec/IKE
Disabled by default
Set the subnet
types of the two
ends
Set the subnet
type of the local
end
local { multi-subnet |
single-subnet }
Optional
single-subnet by default
Used only when the device is
working together with a NetScreen
device.
Set the subnet
type of the peer
end
peer { multi-subnet |
single-subnet }
Optional
No DPD detector is applied to an
IKE peer by default.
For more information about DPD
configuration, see “Configuring a
DPD detector.“
Apply a DPD detector to the IKE
peer
dpd dpd-name
NOTE:
A
fter modifyin
g
the confi
g
uration of an IPsec IKE peer, execute the reset ipsec sa and reset ike sa
commands to clear existing IPsec and IKE SAs. Otherwise, SA re-negotiation will fail.
Setting keepalive timers
IKE maintains the link status of an ISAKMP SA by keepalive packets. Generally, if the peer is configured
with the keepalive timeout, you need to configure the keepalive packet transmission interval on the local
end. If the peer receives no keepalive packet during the timeout interval, the ISAKMP SA will be tagged