好消息,超酷的在线虚拟网络实验室上线了!点击开始实验

为获得更好的浏览效果,建议您使用 Firefox 或者 Chrome 浏览器



MSR系列路由器

IKE Keeplive功能的配置

 

关键字:MSR; IKE; Keeplive; IPSec

 

一、组网需求

2MSR通过Keeplive来保证IKE SA的一致性。

设备清单:MSR系列路由器2

二、组网图:

三、配置步骤:

RTA配置

#

 //配置IKE SAKeeplive发送时间间隔,这里为60s

 ike sa keepalive-timer interval 60

#

ike peer 1.2.0.2

 pre-shared-key h3c

 remote-address 1.2.0.2

#

ipsec proposal def

#

ipsec policy 1.2.0.2 1 isakmp

 security acl 3000

 ike-peer 1.2.0.2

 proposal def

#

acl number 3000

 rule 0 permit ip source 1.2.0.1 0 destination 1.2.0.2 0

#

interface GigabitEthernet0/0

 port link-mode route

 ip address 1.2.0.1 255.255.255.252

 ipsec policy 1.2.0.2

#

RTB配置

#

 //配置IKE SAKeeplive超时等待时间在这段时间内没有收到对端发送的Keeplive删除IKE SA这里为240s,超时时间设置一般大于对端发送间隔的3

 ike sa keepalive-timer timeout 240

#

ike peer 1.2.0.1

 pre-shared-key h3c

 remote-address 1.2.0.1

#

ipsec proposal def

#

ipsec policy 1.2.0.1 1 isakmp

 security acl 3000

 ike-peer 1.2.0.1

 proposal def

#

acl number 3000

 rule 0 permit ip source 1.2.0.2 0 destination 1.2.0.1 0

#

interface GigabitEthernet0/0

 port link-mode route

 ip address 1.2.0.2 255.255.255.252

 ipsec policy 1.2.0.1

#

四、配置关键点

1) Keeplive是单向保活机制(一端配置发送间隔,另一端配置超时),如果需要双向保活需要在两端都配置间隔和超时;

2) 超时时间建议大于发送间隔的3倍;

3) Keeplive是私有的机制,不同厂家的Keeplive不能互通

X Close
X Close