3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

171

172

173

174

175

176

177

178

179

180

180 CHAPTER 11: IKE CONFIGURATION

On the network, packet loss will rarely exceed 3 times, so timeout time can be

configured to be 3 times as long as Keepalive packet transmission time interval of

the peer.

By default, this function is invalid.

Configuring Keepalive sending interval

Perform the following configuration in system view.

The default NAT Keepalive time interval is 20 seconds.

The NAT gateway sends NAT Keepalive packets to maintain dynamic mapping

between IKE peers, but not to detect the status of the peers. When defining the

time interval, ensure that the time interval is less than the timeout time for NAT

translation.

Displaying and

Debugging IKE

After the above configuration, execute display command in all views to display

the running of the IKE configuration, and to verify the effect of the configuration.

Execute the debugging and reset commands in user view.

You can delete a specified security channel by specifying SA connection-id which

can be displayed by executing the display ike sa command. So far as the same

security channel (that is, the same remote end) is concerned, the connection-id

information includes the information at stage 1 and the information at stage 2.

If the ISAKMP SA at stage 1 still exists when you deleting the local SA, the system

will send the DELETE message in the protection mode of the ISAKMP SA to notify

the peer to clear the SA database.

Tabl e 183 Configure Keepalive sending interval

Operation Command

Define the time interval for the IKE peer to

send NAT Keepalive packets

ike sa nat-keepalive-timer interval seconds

Restore the default NAT Keepalive time

interval

undo ike sa nat-keepalive-timer interval

Tabl e 184 Display and debug IKE

Operation Command

Display the current established security

channel

display ike sa [ verbose [ connection-id id |

remote-address ip-address ] ]

Display the parameters of each IKE proposal

configuration

display ike proposal

Display the configuration of IKE peers display ike peer [ peer-name ]

Display the authentication key of the

pre-shared key authentication

display ike pre-share-key

Delete a security channel reset ike sa [ connection-id ]

Enable the information debugging of IKE

debugging ike { all | error | exchange |

message | misc| transport }

Disable the information debugging of IKE

undo debugging ike { all | error | exchange

| message | misc| transport }