HP 6125XLG R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 234
Configuring an IKE profile
View all HP 6125XLG manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 234 highlights
Tasks at a glance (Optional.) Enabling invalid SPI recovery (Optional.) Setting the limit on the number of IKE SAs Remarks N/A N/A Configuring an IKE profile An IKE profile is intended to provide a set of parameters for IKE negotiation. To configure an IKE profile, you can do the following: 1. Configure peer IDs. During IKE negotiation, when an end needs to select an IKE profile, it matches the received peer ID against the peer IDs of its local IKE profiles. If a match is found, it uses the IKE profile with the peer ID for IKE negotiation. 2. Configure the IKE keychain. 3. Specify the negotiation mode (main or aggressive) that the device uses as the initiator. When the device acts as the responder, it uses the IKE negotiation mode of the initiator. 4. Specifies the IKE proposals that the device can use as the initiator. An IKE proposal specified earlier has a higher priority. When the device acts as the responder, it uses the IKE proposals configured in system view to match the IKE proposals received from the initiator. 5. Configure the local ID, the ID that the device uses to identify itself to the peer during IKE negotiation: { For digital signature authentication, the device can use any type of ID. If the local ID is an IP address that is different from the IP address in the local certificate, the device uses the FQDN (the device name configured by using the sysname command) instead. { For pre-shared key authentication, the device can use any type of ID other than the DN. 6. Configure the IKE DPD function to detect dead IKE peers. You can also configure this function in system view. The IKE DPD settings configured in IKE profile takes precedence over those configured in system view. 7. Specify a local interface or IP address for the IKE profile so the profile can be applied only to the specified interface or IP address. For this task, specify the local address configured in IPsec policy or IPsec policy template view (using the local-address command). If no local address is configured, specify the IP address of the interface referencing the IPsec policy. 8. Specify a priority number for the IKE profile. To determine the priority of an IKE profile: a. First, the device examines the existence of the match local address command. An IKE profile with the match local address command configured has a higher priority. b. If a tie exists, the device compares the priority numbers. An IKE profile with a smaller priority number has a higher priority. c. If a tie still exists, the device prefers an IKE profile configured earlier. To configure an IKE profile: Step 1. Enter system view. 2. Create an IKE profile and enter its view. Command system-view ike profile profile-name Remarks N/A By default, no IKE profile is configured. 225