No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Web-based Configuration Guide

AR650, AR1600, and AR6100 V300R003

This document describes how to configure and maintain your routers using the web platform.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IPSec Global Settings

IPSec Global Settings

Context

This section describes how to set optional global IPSec parameters.

Procedure

  • Setting global IPSec parameters
    1. Choose VPN > IPSec VPN > IPSec Global Setting.

      Figure 16-3  Setting global IPSec parameters

    2. Set parameters listed in Table 16-2.
    3. Click Apply to make the settings to take effect.

      To restore the default settings of all parameters, click Reset.

    Table 16-2  Global IPSec parameters

    Parameter

    Description

    Device local name

    Local host name used in IKE negotiation, which is case-insensitive.

    You can configure IPSec polices on the IPSec Policy Management tab page. You need to set Device local name only when Local identity type is set to Name. The value of Device local name must be the same as the value of Peer name set on the peer device.

    By default, no local host name is configured for IKE negotiation. The device name is used as the local name. To view or change the device name, see device information in Device Information.

    IPSec SA aging management

    Global SA lifetime in an IPSec policy. In IPSec negotiation, the SA uses the shorter lifetime between the lifetime set on the local end and that set on the remote end.

    The SA lifetime can be measured by time or by traffic:
    • Time-based (s): indicates the period of time an SA can exist after being established.
    • Traffic-based (KB): indicates the maximum traffic volume that an SA can process.

    When the specified time or traffic volume is reached, the SA becomes invalid. When the SA is about to expire, IPSec negotiates a new SA.

    If SA aging mode is set on the IPSec Policy Management tab page, the global SA lifetime does not take effect.

    By default, the time-based global SA lifetime is 3600 seconds, and the traffic-based global SA lifetime is 1843200 KB.

    IKE heartbeat interval (s)

    Interval for sending heartbeat packets.

    If no heartbeat packet is received during the duration specified by IKE heartbeat timeout, the IPSec SA is deleted. Therefore, the timeout duration of heartbeat packets must be set longer than the interval for sending heartbeat packets.

    IKE heartbeat timeout (s)

    Timeout interval during which an IKE SA waits for a heartbeat packet.

    On a network, packet loss rarely occurs more than three consecutive times. Therefore, the timeout interval of heartbeat packets on one end can be set to three times the interval for sending heartbeat packets on the other end.

    NAT saving interval (s)

    Interval for sending NAT keepalive packets.

    If the IPSec tunnel with NAT traversal enabled is established and no packet passes through the NAT gateway in a long period, NAT session entries are aged and deleted on the NAT gateway. In this case, data cannot be transmitted through the IPSec tunnel. Therefore, to retain NAT session entries, configure the device to send NAT keepalive packets periodically.

    By default, the interval for sending NAT keepalive packets is 20 seconds.

    Anti-replay

    Whether to enable the anti-replay function.

    After the anti-replay function is enabled, the system discards replayed packets and does not encapsulate them, saving system resources.

    By default, the anti-replay function is enabled.

    DF bit setting

    Don't fragment (DF) flag bit:
    • clear: If the DF flag bit is 0, IP packets can be fragmented.
    • set: If the DF flag bit is 1, no IP packet is fragmented.
    • copy: Specifies the flag bit of original packets.

    By default, the DF flag bit on an IPSec tunnel is the flag bit of original packets.

    Fragment packets before encryption

    Whether to enable packet fragment before encryption when the DF flag bit is 1.

    Before IP packets are encapsulated with the IPSec header, the system calculates the predicted length of the encapsulated IP packets. If the predicted length of the encapsulated IP packets exceeds the MTU of the outbound interface, the router fragments the IP packets before encryption. The IKE peer of the router decrypts and assembles IPSec fragments. This reduces the CPU usage of the router.

    By default, IP packets are fragmented after being encrypted on an IPSec tunnel.

Download
Updated: 2019-04-12

Document ID: EDOC1100041803

Views: 31309

Downloads: 71

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next