R3721-F3210-F3171-HP High-End Firewalls VPN Command Reference-6PW101
46
By default, the ID type is IP address.
In main mode, only the ID type of IP address can be used in IKE negotiation and SA creation. In
aggressive mode, either type can be used.
If the ID type of FQDN is used, configure a name without any at sign (@) for the local security gateway,
for example, foo.bar.com. If the ID type of user FQDN is used, configure a name with an at sign (@) for
the local security gateway, for example, test@foo.bar.com.
Related commands: local-name, ike local-name, remote-name, remote-address, local-address, and
exchange-mode.
Examples
# Use the ID type of name during IKE negotiation.
<Sysname> system-view
[Sysname] ike peer peer1
[Sysname-ike-peer-peer1] id-type name
ike dpd
Syntax
ike dpd dpd-name
undo ike dpd dpd-name
View
System view
Default level
2: System level
Parameters
dpd-name: Name for the dead peer detection (DPD) detector, a string of 1 to 32 characters.
Description
Use ike dpd to create a DPD detector and enter IKE DPD view.
Use undo ike dpd to remove a DPD detector.
Dead peer detection (DPD) irregularly detects dead IKE peers. It works as follows:
1. When the local end sends an IPsec packet, it checks the time the last IPsec packet was received
from the peer.
2. If the time interval exceeds the DPD interval, it sends a DPD hello to the peer.
3. If the local end receives no DPD acknowledgement within the DPD packet retransmission interval,
it retransmits the DPD hello.
4. If the local end still receives no DPD acknowledgement after having made the maximum number of
retransmission attempts (two by default), it considers the peer already dead, and clears the IKE SA
and the IPsec SAs based on the IKE SA.
DPD enables an IKE entity to check the liveliness of its peer only when necessary. It generates less traffic
than the keepalive mechanism, which exchanges messages periodically.
Related commands: display ike dpd, interval-time, and time-out.