Allied Telesis AT-9900 用户手册
170
Enhancements to IPsec/VPN
Release Note
Software Version 2.8.1
C613-10477-00 REV B
C613-10477-00 REV B
This feature provides an alternative to using heartbeat exchanges. Heartbeat
exchanges are more robust under denial of service attacks, and may be able to
detect the problem before any network traffic is lost; however heartbeat
exchanges may be incompatible with some third party equipment.
exchanges are more robust under denial of service attacks, and may be able to
detect the problem before any network traffic is lost; however heartbeat
exchanges may be incompatible with some third party equipment.
Command Changes
The following table summarises the modified commands:
Modifying the Message Retransmission Delay
This Software Version adds a new message retransmission option for ISAKMP
policies, by adding a new msgbackoff parameter. This provides a choice of
back-off patterns for ISAKMP policies which are configured to retransmit
messages.
policies, by adding a new msgbackoff parameter. This provides a choice of
back-off patterns for ISAKMP policies which are configured to retransmit
messages.
■
When incremental is specified, the delay between retransmissions
increases in a linear manner, by twice the value set by the msgtimeout
parameter. That is, every retransmitted message is delayed by the last
delay time plus twice the msgtimeout value.
increases in a linear manner, by twice the value set by the msgtimeout
parameter. That is, every retransmitted message is delayed by the last
delay time plus twice the msgtimeout value.
■
When none is specified, the delay between retransmissions is static. All
retransmissions are sent after the delay specified by the msgtimeout
parameter.
retransmissions are sent after the delay specified by the msgtimeout
parameter.
The default for the parameter is incremental. To set a back-off pattern for
ISAKMP messages, use the msgbackoff parameter in the commands:
ISAKMP messages, use the msgbackoff parameter in the commands:
create isakmp policy=name peer={ipv4add|ipv6add|any}
[msgbackoff={incremental|none}] [msgretrylimit=0..1024]
[msgtimeout=1..86400] [other parameters]
set isakmp policy=name [msgbackoff={incremental|none}]
[msgretrylimit=0..1024] [msgtimeout=1..86400]
[other parameters]
The default value for the msgretrylimit is now 8, and the default for the
msgtimeout
msgtimeout
limit is now 4. ISAKMP policies created without changing the
defaults for these three parameters will have this message retransmission
pattern:
pattern:
1.
The router or switch sends the initial message.
2.
The router or switch retransmits the message 4 seconds later.
3.
If a second retransmission is needed, this occurs 8 seconds (twice the value
set by the msgtimeout parameter) after the first retransmission.
set by the msgtimeout parameter) after the first retransmission.
Command
Change
New respondbadspi parameter.
New respondbadspi parameter.
New Respond Bad SPI parameter in the output for a
specific policy.
specific policy.
New inBadSpiResponse parameter in output.
New badSpiRequests, badSpiFromKnownPeer,
badSpiInAggrMode, badSpiSendNotifyUnset
parameters in output when counters is set to general.
badSpiInAggrMode, badSpiSendNotifyUnset
parameters in output when counters is set to general.