3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

411

412

413

414

415

416

417

418

419

420

418 CHAPTER 23: IKE CONFIGURATION COMMANDS

By default, this function is disabled.

This command is used to configure the interval for sending Keepalive packet to

the remote end through ISAKMP SA. IKE maintains the link state of the ISAKMP

SA by using the Keepalive packet. In general, if a timeout is configured at the

remote end by using the ike sa keepalive-timer timeout command, an interval

for sending Keepalive packet must be configured at the local end. When the

remote end in the configured timeout time does not receive the Keepalive packet,

the ISAKMP SA with the TIMEOUT flag and the IPsec SA corresponding to it will be

deleted, and otherwise the ISAKMP SA without the TIMEOUT flag will be marked

as TIMEOUT. Thus the configured timeout should be longer than the interval for

sending the Keepalive packet during configuration.

Related command: ike sa keepalive-timer timeout.

Example

# Configure the interval as 20 seconds for the local end to send Keepalive packet

to the remote end.

[SecBlade_VPN] ike sa keepalive-timer interval 20

ike sa keepalive-timer

timeout

Syntax

ike sa keepalive-timer timeout seconds

undo ike sa keepalive-timer timeout

View

System view

Parameter

seconds: Specifies the timeout for ISAKMP SA to wait for the Keepalive packet. It

can be set to a value in the range 20 to 28800.

Description

Use the ike sa keepalive-timer timeout command to configure a timeout for

ISAKMP SA to wait for the Keepalive packet.

Use the undo ike sa keepalive-timer timeout command to disable the function.

By default, this function is disabled.

This command is used to configure the timeout for the remote end to send the

Keepalive packet. IKE maintains the link state of the ISAKMP SA by using the

Keepalive packet. When the remote end in the configured timeout does not

receive the Keepalive packet, the ISAKMP SA with the TIMEOUT flag and the IPsec

SA corresponding to it will be deleted, and otherwise the ISAKMP SA without the

TIMEOUT flag will be marked as TIMEOUT. Thus the configured timeout should be

longer than the interval for sending the Keepalive packet during configuration.

Generally, packets will not be lost for more than three consecutive times in the

network, so the timeout can be configured as three times of the interval set for

the remote end to send Keepalive packets.