(Optional) Configuring Heartbeat Detection to Detect the IKE Peer Status

Context

Heartbeat detection enables the local end to periodically send heartbeat packets to the remote end. If the local end does not receive heartbeat packets within the timeout interval, the local end considers the remote end as unreachable and deletes the IKE SA or IPSec SA between IKE peers.

There are limitations on heartbeat detection:

Enabling heartbeat detection will consume CPU resources used to process IKE keepalive messages, so the number of established IPSec sessions is limited.
There are no uniform standards, so devices from different vendors may fail to interwork.

The interval at which heartbeat packets are sent at the local end must be used with the timeout interval of heartbeat packets at the remote end. If the remote end does not receive any heartbeat packet within the timeout interval and the IKE SA carries a timeout tag, the IKE SA and its corresponding IPSec SA are deleted. If the IKE SA does not carry a timeout tag, it is marked as timeout.

If IKE peers use IKEv1 during negotiation, the device supports heartbeat detection. If IKE peers use IKEv2 during negotiation, the device does not support heartbeat detection.

Procedure

Run system-view
The system view is displayed.
Run ike heartbeat { seq-num { new | old } | spi-list }
Parameters of heartbeat packets are set.

By default, a heartbeat packet uses old type sequence number mechanism and does not carry the SPI list.
Run ike heartbeat-timer interval interval
The interval at which heartbeat packets are sent by an IKE SA is set.

By default, an IKE SA does not send heartbeat packets.
Run ike heartbeat-timer timeout seconds
The timeout interval of heartbeat packets is set.

By default, the timeout interval during which an IKE SA waits for a heartbeat packet is not configured.

When ike heartbeat-timer interval is configured at one end, the ike heartbeat-timer timeout command must be used at the other end.

The timeout interval of heartbeat packets must be longer than the interval at which heartbeat packets are sent. Generally, packet loss does not occur for more than three consecutive times on a network. Therefore, it is recommended that the timeout interval of heartbeat packets be three times the interval at which heartbeat packets are sent.