HP 6125XLG R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 236
Configuring an IKE proposal
View all HP 6125XLG manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 236 highlights
Step Command 10. Specify an inside VPN instance. inside-vpn vpn-instance vpn-name 11. Specify a priority for the IKE profile. priority number Remarks By default, no inside VPN instance is specified for an IKE profile, and the device forwards protected data to the VPN instance with the same name as the VPN instance on the external network. By default, the priority of an IKE profile is 100. Configuring an IKE proposal An IKE proposal defines a set of attributes describing how IKE negotiation in phase 1 should take place. You can create multiple IKE proposals with different priorities. The priority of an IKE proposal is represented by its sequence number. The lower the sequence number, the higher the priority. Two peers must have at least one matching IKE proposal for successful IKE negotiation. During IKE negotiation: • The initiator sends its IKE proposals to the peer. { If the initiator is using an IPsec with an IKE profile, the initiator sends all IKE proposals referenced by the IKE profile to the peer. An IKE proposal specified earlier for the IKE profile has a higher priority. { If the initiator is using an IPsec with no IKE profile, the initiator sends all its IKE proposals to the peer. An IKE proposal with a smaller number has a higher priority. • The peer searches its own IKE proposals for a match. The search starts from the IKE proposal with the highest priority and proceeds in the descending order of priority until a match is found. The matching IKE proposals are used to establish the IKE SA. If all user-defined IKE proposals are found mismatching, the two peers use their default IKE proposals to establish the IKE SA. Two matching IKE proposals have the same encryption algorithm, authentication method, authentication algorithm, and DH group. The SA lifetime takes the smaller one of the two proposals' SA lifetime settings. To configure an IKE proposal: Step 1. Enter system view. Command system-view Remarks N/A 2. Create an IKE proposal and enter its view. ike proposal proposal-number By default, there is an IKE proposal that is used as the default IKE proposal. 3. Specify an encryption algorithm for the IKE proposal. encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc } By default, an IKE proposal uses the 56-bit DES encryption algorithm in CBC mode in non-FIPS mode and 128-bit AES encryption algorithm in FIPS mode. 4. Specify an authentication method for the IKE proposal. authentication-method { dsa-signature | pre-share | rsa-signature } By default, an IKE proposal uses the pre-shared key authentication method. 227