HP VPN Firewall Appliances VPN Configuration Guide
113
Field Descri
p
tion
Flag
Status of the SA. Possible values include:
• RD—Ready. The SA has already been established and is ready for use.
• ST—Stayalive. The local end is the tunnel negotiation initiator.
• RL—Replaced. The tunnel has been replaced and will be cleared soon.
• FD—Fading. The soft lifetime expires but the tunnel is still in use. The tunnel will be
deleted when the hard lifetime expires.
• TO—Timeout. The SA has received no keepalive packets after the last keepalive
timeout. If no keepalive packets are received before the next keepalive timeout, the SA
will be deleted.
IMPORTANT:
IKE maintains the link status of an ISAKMP SA by keepalive packets. Generally, if the peer
is configured with the keepalive timeout, you must configure the keepalive packet
transmission interval on the local end. If the peer receives no keepalive packet during the
timeout interval, the ISAKMP SA will be tagged with the TIMEOUT tag (if it does not have the
tag), or be deleted along with the IPsec SAs it negotiated (when it has the tag already).
Domain of
Interpretation
Interpretation domain to which the SA belongs.
IKE configuration example
Network requirements
As shown in Figure 83, configure a security tunnel between Device A and Device B to protect traffic
between subnet 10.1.1.0/24 and subnet 10.1.2.0/24. Either Device A or Device B serves as the firewall.
On Device A, configure an IKE proposal that uses the sequence number 10 and the authentication
algorithm MD5. Leave Device B with only the default IKE proposal.
Configure the pre-shared key authentication method.
Figure 83 Network diagram
Configuring Device A
1. Configure interface IP addresses and assign interfaces to security zones. (Details not shown.)
2. Create ACL 3101:
a. Select Firewall > ACL from the navigation tree.
b. Click Add.
c. Enter the ACL number 3101, and select the match order Config.