R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101
134
Ste
p
Command
Remarks
7. Configure the names
of the two ends.
a. Specify a name for the
local security gateway:
local-name name
b. Configure the name of
the remote security
gateway:
remote-name name
Optional.
By default, no name is configured for the local
security gateway in IKE peer view, and the
security gateway name configured by using
the ike local-name command is used.
The remote gateway name configured with
remote-name command on the local gateway
must be identical to the local name configured
with the local-name command on the peer.
8. Configure the IP
addresses of the two
ends.
a. Specify an IP address
for the local gateway:
local-address
ip-address
b. Configure the IP
addresses of the remote
gateway:
remote-address.{ hostn
ame [ dynamic ] |
low-ip-address
[ high-ip-address ] }
Optional.
By default, it is the primary IP address of the
interface referencing the security policy.
The remote IP address configured with the
remote-address command on the local
gateway must be identical to the local IP
address configured with the local-address
command on the peer.
9. Enable the NAT
traversal function for
IPsec/IKE.
nat traversal
This step is required when a NAT gateway is
present in the VPN tunnel constructed by
IPsec/IKE.
Disabled by default.
10. Set the subnet types
of the two ends.
a. Set the subnet type of
the local end:
local { multi-subnet |
single-subnet }
b. Set the subnet type of
the peer end:
peer { multi-subnet |
single-subnet }
Optional.
The default subnet type is single-subnet.
Used only when the device is working together
with a NetScreen device.
11. Apply a DPD
detector to the IKE
peer.
dpd dpd-name
Optional.
No DPD detector is applied to an IKE peer by
default. For more information about DPD
configuration, see "Configuring a DPD
detec
tor."
NOTE:
A
fter modifyin
g
the confi
g
uration of an IPsec IKE peer, execute the reset ipsec sa and reset ike sa
commands to clear existing IPsec and IKE SAs. Otherwise, SA re-negotiation will fail.
Setting keepalive timers
IKE maintains the link status of an ISAKMP SA by keepalive packets. Generally, if the peer is configured
with the keepalive timeout, you need to configure the keepalive packet transmission interval on the local
end. If the peer receives no keepalive packet during the timeout interval, the ISAKMP SA will be tagged