Configuring the IKE keepalive feature
IKE sends keepalive packets to query the liveness of the peer. If the peer is configured with the keepalive timeout time, you must configure the keepalive interval on the local device. If the peer receives no keepalive packets during the timeout time, the IKE SA is deleted along with the IPsec SAs it negotiated.
Follow these guidelines when you configure the IKE keepalive feature:
Configure IKE DPD instead of the IKE keepalive feature unless IKE DPD is not supported on the peer. The IKE keepalive feature sends keepalives at regular intervals, which consumes network bandwidth and resources.
The keepalive timeout time configured on the local device must be longer than the keepalive interval configured at the peer. Since it seldom occurs that more than three consecutive packets are lost on a network, you can set the keepalive timeout three times as long as the keepalive interval.
To configure the IKE keepalive feature:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Set the IKE SA keepalive interval. | ike keepalive interval seconds | By default, no keepalives are sent to the peer. |
3. Set the IKE SA keepalive timeout time. | ike keepalive timeout seconds | By default, IKE SA keepalive never times out. |