HP 6125XLG R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 237
Configuring an IKE keychain
View all HP 6125XLG manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 237 highlights
Step 5. Specify an authentication algorithm for the IKE proposal. 6. Specify a DH group for key negotiation in phase 1. 7. Set the IKE SA lifetime for the IKE proposal. Command • In non-FIPS mode: authentication-algorithm { md5 | sha } • In FIPS mode: authentication-algorithm sha • In non-FIPS mode: dh { group1 | group14 | group2 | group24 | group5 } • In FIPS mode: dh group14 sa duration seconds Remarks By default, an IKE proposal uses the HMAC-SHA1 authentication algorithm. By default, DH group1 (the 768-bit DH group) is used in non-FIPS mode, and DH group 14 (2048-bit DH group) is used in FIPS mode. By default, the IKE SA lifetime is 86400 seconds. Configuring an IKE keychain Perform this task when you configure the IKE to use the pre-shared key for authentication. Follow these guidelines when you configure an IKE keychain: 1. Two peers must be configured with the same pre-shared key to pass pre-shared key authentication. 2. You can specify the local address configured in IPsec policy or IPsec policy template view (using the local-address command) for the IKE keychain to be applied. If no local address is configured, specify the IP address of the interface referencing the IPsec policy. 3. You can specify a priority number for the IKE keychain. To determine the priority of an IKE keychain: a. The device examines the existence of the match local address command. An IKE keychain with the match local address command configured has a higher priority. b. If a tie exists, the device compares the priority numbers. An IKE keychain with a smaller priority number has a higher priority. c. If a tie still exists, the device prefers an IKE keychain configured earlier. To configure the IKE keychain: Step Command Remarks 1. Enter system view. system-view N/A 2. Create an IKE keychain and ike keychain keychain-name enter its view. [ vpn-instance vpn-name ] By default, no IKE keychain exists. By default, no pre-shared key is pre-shared-key { address configured. { ipv4-address [ mask | mask-length ] | For security purposes, all 3. Configure a pre-shared key. ipv6 ipv6-address [ prefix-length ] } | pre-shared keys, including those hostname host-name } key { cipher configured in plain text, are cipher-key | simple simple-key } saved in cipher text to the configuration file. 228