MSR系列路由器
IKE Keeplive功能的配置
关键字:MSR;
IKE; Keeplive; IPSec
一、组网需求:
2台MSR通过Keeplive来保证IKE SA的一致性。
设备清单:MSR系列路由器2台
二、组网图:
三、配置步骤:
RTA配置 |
# //配置IKE SA的Keeplive发送时间间隔,这里为60s ike sa keepalive-timer interval 60 # ike peer pre-shared-key h remote-address # ipsec proposal def # ipsec policy security acl
3000 ike-peer proposal def # acl number 3000 rule 0
permit ip source # interface GigabitEthernet0/0 port link-mode route ip address ipsec policy # |
RTB配置 |
# //配置IKE SA的Keeplive超时等待时间,在这段时间内没有收到对端发送的Keeplive,删除IKE SA,这里为240s,超时时间设置一般大于对端发送间隔的3倍 ike sa keepalive-timer timeout 240 # ike peer pre-shared-key h remote-address # ipsec proposal def # ipsec policy security acl
3000 ike-peer proposal def # acl number 3000 rule 0
permit ip source # interface GigabitEthernet0/0 port link-mode route ip address ipsec policy # |
四、配置关键点:
1) Keeplive是单向保活机制(一端配置发送间隔,另一端配置超时),如果需要双向保活需要在两端都配置间隔和超时;
2) 超时时间建议大于发送间隔的3倍;
3) Keeplive是私有的机制,不同厂家的Keeplive不能互通。