ACM Installation and Operations Guide
Rev 3 Nov 17
24
4119855
b.
After enabling DPD on the IKE group(s), set the global DPD parameters
(these apply to DPD for all groups)—If not specified, default values are
used (30 second timeout, 3 retries):
set vpn ipsec ikev2-retransmit-timeout 15
set vpn ipsec ikev2-retransmit-tries 1
Note: Do not use the IKEv1 DPD configuration options “dead-peer-detection
interval” and “dead-peer detection timeout”—these are not supported in IKEv2.
3.
Configure IKE Version and MOBIKE:
set vpn ipsec ike-group <IKE-GRP-NAME> ike-version
ikev2
set vpn ipsec ike-group <IKE-GRP-NAME> mobike yes
4.
Configure IKE transform set proposals (Note: There can be more than one
proposal.) See
on page 22 for supported parameter values:
set vpn ipsec ike-group <IKE-GRP-NAME> proposal 10
dh-group <Dh_group_type>
set vpn ipsec ike-group <IKE-GRP-NAME> proposal 10
encryption <Encrypt_type>
set vpn ipsec ike-group <IKE-GRP-NAME> proposal 10
hash <Hash_type>
Configure IKE Groups with IKEv1
Note: oMG2000/500, MG90 and NCP Client for Windows should be configured for
IKEv2—see
Configure IKE Groups with MOBIKE (IKEv2)
The following AirLink gateways support the IKEv1 protocol (IKEv2 is not
supported): LS, ES, GX, RV, and MP series.
Use the
set vpn ipsec ike-group
command to configure the IKE group parameters,
as described below.
Note: The attribute values used in the commands below are examples only; set the values
as appropriate for your configuration.
1.
Configure the IKE group(s)—There can be more than one IKE group and
they can be called independently for different peers. The IKE group name can
be any string.
set vpn ipsec ike-group <IKE-GRP-NAME>
2.
After configuring your IKE group(s), configure Dead Peer Detection (DPD) for
each group:
a.
Enable DPD:
set vpn ipsec ike-group <IKE-GRP-NAME> dead-peer-
detection action clear