H3c-technologies H3C SecPath F1000-E Manual de usuario Pagina 171
- Pagina / 182
- Tabla de contenidos
- SOLUCIÓN DE PROBLEMAS
- MARCADORES
Valorado. / 5. Basado en revisión del cliente
7
To do… Use the command… Remarks
Apply a DPD to the IKE peer dpd dpd-name
Optional
No DPD is applied to an IKE peer
by default.
For DPD configuration, refer to
Configuring a DPD.
Note that:
• After modifying the configuration of an IPsec IKE peer, run the reset ipsec sa and reset ike sa
commands to clear the previous IPsec and IKE SAs. Otherwise, SA re-negotiation will fail.
• If the IP address of one end of an IPsec tunnel is obtained dynamically, the IKE negotiation mode
must be aggressive.
• In main mode of pre-shared key authentication, only the ID type of IP address can be used in IKE
negotiation. In aggressive mode, however, either type can be used.
• An IKE peer uses its configured IKE negotiation mode when it is the negotiation initiator. A
negotiation responder uses the IKE negotiation mode of the initiator.
• The local-address command is required only when you want to specify a special address (a
loopback interface address, for example) for the local gateway. The remote-name command or the
remote-address command is required for the initiator so that the initiator can find the remote peer
in negotiation.
• To save IP addresses, ISPs often deploy NAT gateways on public networks so as to allocate private
IP addresses to users. In this case, one end of an IPsec/IKE tunnel may have a public address while
the other end may have a private address, and therefore NAT traversal must be configured at the
both endpoints to set up the tunnel.
• The remote gateway name configured with remote-name command on the local gateway must be
identical to the local name configured with the local-name command on its peer.
• The remote IP address configured with the remote-address command on the local gateway must be
identical to the local IP address configured with the local-address command on its peer.
• The IKE proposals specified in IKE peer view are used when the local peer initiates a negotiation.
When acting as a responder, the local peer uses the IKE proposals configured in system view for
negotiation.
Setting Keepalive Timers
IKE maintains the link status of an ISAKMP SA by keepalive packets. Generally, if the peer is configured
with the keepalive timeout, you need to configure the keepalive packet transmission interval on the local
end. If the peer receives no keepalive packet during the timeout interval, the ISAKMP SA will be tagged
with the TIMEOUT tag (if it does not have the tag), or be deleted along with the IPsec SAs it negotiated
(when it has the tag already).
Follow these steps to set the keepalive timers:
To do… Use the command… Remarks
Enter system view system-view —
Set the ISAKMP SA keepalive
interval
ike sa keepalive-timer interval
seconds
Required
No keepalive packet is sent by
default.
- Table of Contents 1
- Portal Configuration 2
- Portal System Components 3
- Portal Authentication Modes 4
- Configuration Prerequisites 8
- RADIUS Configuration 12
- Firewall Web 12
- Configuration Manual 12
- Portal Packets 13
- 2. Probe parameters 15
- Logging Off Portal Users 17
- Step2 Configure Device 21
- DHCP Configuration 24
- Functions 27
- Information Synchronization 34
- Configuration considerations 35
- Troubleshooting Portal 42
- ALG Configuration 45
- 2. Authenticating the user 46
- Enabling ALG 47
- ALG Configuration Examples 47
- # Enable ALG for NBT 50
- # Configure NAT 50
- RSH Configuration 52
- RSH Configuration Example 53
- SSH2.0 Configuration 57
- Version negotiation 58
- Authentication 58
- Session request 59
- Interaction 59
- SSH Connection Across VPNs 60
- Public Key Commands 61
- Security Volume 61
- Interface Commands 62
- System Volume 62
- Configuring an SSH User 63
- SFTP Service 80
- Working with SFTP Files 83
- Displaying Help Information 84
- SSL Configuration 91
- SSL Configuration Task List 92
- Configuration Procedure 93
- Troubleshooting SSL 97
- Web Filtering Configuration 100
- Java Blocking 101
- ActiveX Blocking 101
- Configuring Web Filtering 102
- Network requirements 103
- Configuration procedure 104
- Invalid Use of Wildcard 107
- Invalid Blocking Suffix 107
- Public Key Configuration 109
- Connection Limit Overview 118
- Verification 121
- Symptom 121
- Analysis 121
- Solution 122
- Contents 123
- Firewall configuration 124
- IPsec Configuration 129
- Implementation of IPsec 130
- Basic Concepts of IPsec 130
- Encapsulation modes 131
- IPsec Tunnel Interface 132
- Configuring IPsec 134
- Implementing ACL-Based IPsec 135
- Mirror image ACLs 137
- Protection modes 138
- Configuring an IPsec Policy 139
- NOTE: 143
- Configuring an IPsec Profile 148
- Tunneling Commands 150
- IP Services Volume 150
- IPsec Configuration Examples 152
- 2. Configure Device B 153
- Configuation procedure 157
- 3. Configure Device C 162
- IKE Configuration 165
- Operation of IKE 166
- IKE Configuration Task List 167
- Gateway 168
- Configuring an IKE Proposal 168
- Configuring an IKE Peer 169
- Setting Keepalive Timers 171
- Configuring a DPD 172
- IKE Configuration Examples 173
- Traversal 175
- Troubleshooting IKE 180
- Proposal Mismatch 181
- ACL Configuration Error 181
Relacionado con productos y manuales para La Seguridad H3c-technologies H3C SecPath F1000-E
(95 paginas)
(17 paginas)© 2020, manymanuals.es. Todos los derechos reservados | 0.339 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comentarios a estos manuales