R2511-HP MSR Router Series Security Configuration Guide(V5)
225
Ste
p
Command
Remarks
2. Configure the cookie
challenging function.
ikev2 cookie-challenge number Disabled by default.
Configuring the IKEv2 DPD function
The IKEv2 DPD function detects dead IKE peers in on-demand or periodic mode.
In periodic mode, the DPD function sends DPD hellos to the peer at the specified interval to detect the
liveliness of the peer.
In on-demand mode, the DPD function works as follows:
1. When the local end sends an IPsec packet, it checks the time the last IPsec packet was received
from the peer.
2. If the time interval exceeds the DPD interval, it sends a DPD hello to the peer to detect its liveliness.
To configure the IKEv2 DPD function:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Configure the IKEv2 DPD
function.
ikev2 dpd interval { on-demand |
periodic }
Disabled by default.
The DPD configuration here is the global configuration. You can also configure the DPD function in IKEv2
profile view. In this case, the configuration in IKEv2 profile view takes precedence.
Setting limits on the number of IKEv2 SAs
IKEv2 can limit the number of half-open and established IKEv2 SAs.
To set the maximum number of half-open IKEv2 SAs or the maximum number of established IKEv2 SAs:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Set the maximum number of
half-open IKEv2 SAs or the
maximum number of
established IKEv2 SAs.
ikev2 limit { max-in-negotiation-sa |
max-sa } limit
Optional.
By default, the maximum number
of half-open IKEv2 SAs is 1000,
and the maximum number of
established IKEv2 SAs is 10000.
NOTE:
• KEv2 SAs being rekeyed are not counted in the number of half-open IKEv2 SAs.
• Rekeyed IKEv2 SAs are not counted in the number of established IKEv2 SAs if the old ones are alread
y
counted.