R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101
31
Follow these steps to configure a DPD detector:
To do… Use the command…
Remarks
Enter system view system-view —
Create a DPD detector and enter its
view
ike dpd dpd-name Required
Set the DPD interval interval-time interval-time
Optional
10 seconds by default
Set the DPD packet retransmission
interval
time-out time-out
Optional
5 seconds by default
Disabling next payload field checking
The Next payload field is in the generic payload header of the last payload of the IKE negotiation
message (the message comprises multiple payloads). According to the protocol, this field must be 0 if the
payload is the last payload of the packet. However, it may be set to other values on some brands of
devices. For interoperability, disable the checking of this field.
Follow these steps to disable Next payload field checking:
To do… Use the command…
Remarks
Enter system view system-view —
Disable Next payload field
checking
ike next-payload check disabled
Required
Enabled by default
Displaying and maintaining IKE
To do… Use the command…
Remarks
Display IKE DPD information display ike dpd [ dpd-name ] Available in any view
Display IKE peer information display ike peer [ peer-name ] Available in any view
Display IKE SA information
display ike sa [ verbose
[ connection-id connection-id |
remote-address remote-address ] ]
Available in any view
Display IKE proposal information display ike proposal Available in any view
Clear SAs established by IKE reset ike sa [ connection-id ] Available in user view
Main mode IKE with pre-shared key authentication
configuration example
Network requirements
As shown in Figure 23, an IPsec tunnel is established through IKE negotiation between Firewall A and
Firewall B to secure the communication between subnet 10.1.1.0/24 and subnet 10.1.2.0/24.
Firewall A is configured with an IKE proposal using the sequence number of 10 and the authentication
algorithm of MD5. Firewall B has only the default IKE proposal.