3Com 10014299 Displaying and Debugging IKE

592 CHAPTER 41: CONFIGURING IKE

By default, SA lifetime is 86400 seconds (a day). It is recommended that the

configured seconds should be greater than 10 minutes.

Configuring IKE

Keepalive Timer The Keepalive function detects and deletes idle security association when the peer

party is invalid and cannot operate. Usually, the initiator transmits a packet proving

itself still alive to the peer party, while the responder confirms that the peer party is

still alive after receiving it. The keepalive function includes two timers, interval and

timeout.

■The interval timer mainly assists in transmitting keepalive packets to the peer

party, following a set time interval, to prove that it is still alive.

■The timeout timer mainly assists timing events to query the status of security

tunnel periodically, and deletes the timed out security tunnel.

Configure the following in system view.

Tabl e 663 Configure IKE Keepalive Timer

By default, the system does not enable IKE keepalive timing (interval and timeout)

event.

Usually, the interval and timeout timers are applied in pairs at the initiator side or

the receiver side. If an interval timer is configured at one side, the other side

should be configured with a timeout timer. In the actual application, if one side is

configured with the timeout timer, the other side must be configured with the

interval timer or the SA will be deleted. If one side is configured with the interval

timer, it is not necessary to configure the timeout timer at the other side. To avoid

the negative influence of network congestion on the keepalive function, you

should set the value of the timeout timer three times higher than that of the

interval timer.

Displaying and

Debugging IKE Use debugging, reset and display commands in all views.

Tabl e 664 Display and Debug IKE

Operation Command

Configure transmitting time interval of IKE

keepalive packets (interval) ike sa keepalive-timer interval

seconds

Delete interval timing event of IKE

keepalive function undo ike sa keepalive-timer

interval

Configure IKE keepalive link timeout time

(timeout) ike sa keepalive-timer timeout

seconds

Delete timeout timing event of IKE

keepalive function undo ike sa keepalive-timer timeout

Operation Command

Display IKE security association parameter display ike sa

Display IKE security policy display ike proposal

Delete the security channel established by

IKE reset ike sa { connection-ike-sa-id |

all }

Clear an SA debugging ike { all | crypto | error

transport }