R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101
30
with the TIMEOUT tag (if it does not have the tag), or be deleted along with the IPsec SAs it negotiated
(when it has the tag already).
Follow these steps to set the keepalive timers:
To do… Use the command…
Remarks
Enter system view system-view —
Set the ISAKMP SA keepalive
interval
ike sa keepalive-timer interval
seconds
Required
No keepalive packet is sent by
default.
Set the ISAKMP SA keepalive
timeout
ike sa keepalive-timer timeout
seconds
Required
No keepalive packet is sent by
default.
NOTE:
The keepalive timeout configured at the local end must be longer than the keepalive interval configured a
t
the remote end. Since it seldom occurs that more than three consecutive packets are lost on a network, the
keepalive timeout can be configured to be three times of the keepalive interval.
Setting the NAT keepalive timer
If IPsec traffic needs to pass through NAT security gateways, you need to configure the NAT traversal
function. If no packet travels across an IPsec tunnel in a certain period of time, the NAT mapping may get
aged and be deleted, disabling the tunnel beyond the NAT gateway from transmitting data to the
intended end. To prevent NAT mappings from being aged, an ISAKMP SA behind the NAT security
gateway sends NAT keepalive packets to its peer at a certain interval to keep the NAT session alive.
Follow these steps to set the NAT keepalive timer:
To do… Use the command…
Remarks
Enter system view system-view —
Set the NAT keepalive interval
ike sa nat-keepalive-timer interval
seconds
Required
20 seconds by default
Configuring a DPD detector
Dead peer detection (DPD) irregularly detects dead IKE peers. It works as follows:
1. When the local end sends an IPsec packet, it checks the time the last IPsec packet was received
from the peer.
2. If the time interval exceeds the DPD interval, it sends a DPD hello to the peer.
3. If the local end receives no DPD acknowledgement within the DPD packet retransmission interval,
it retransmits the DPD hello.
4. If the local end still receives no DPD acknowledgement after having made the maximum number of
retransmission attempts (two by default), it considers the peer already dead, and clears the IKE SA
and the IPsec SAs based on the IKE SA.
DPD enables an IKE entity to check the liveliness of its peer only when necessary. It generates less traffic
than the keepalive mechanism, which exchanges messages periodically.