HP 6125XLG R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 238
Configuring the global identity information, Configuring the IKE keepalive function
View all HP 6125XLG manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 238 highlights
Step 4. (Optional.) Specify a local interface or IP address that the IKE keychain can be applied to. 5. (Optional.) Specify a priority for the IKE keychain. Command match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-name ] } priority number Remarks By default, an IKE keychain can be applied to any local interface or IP address. The default priority is 100. Configuring the global identity information Follow these guidelines when you configure the global identity information for the local IKE. • The global identity can be used by the device for all IKE SA negotiations, and the local identity (set by the local-identity command) can be used only by the device that uses the IKE profile. • When signature authentication is used, you can set any type of the identity information. • When pre-shared key authentication is used, you cannot set the DN as the identity. To configure the global identity information: Step 1. Enter system view. 2. Configure the global identity to be used by the local. Command system-view ike identity { address { ipv4-address | ipv6 ipv6-address } | dn | fqdn [ fqdn-name ] | user-fqdn [ user-fqdn-name ] } 3. (Optional.) Configure the local device to always obtain the identity information from the local certificate for ike signature-identity from-certificate signature authentication. Remarks N/A By default, the IP address of the interface where the IPsec policy or IPsec policy template applies is used as the IKE identity. By default, the local end uses the identity information specified by local-identity or ike identity for signature authentication. Configure the command on the local device that initiates aggressive IKE SA negotiations that use signature authentication for compatibility with the peer device running a Comware V5-based release. Such release supports only DN for signature authentication. Configuring the IKE keepalive function IKE sends keepalive packets to query the liveness of the peer. If the peer is configured with the keepalive timeout time, you must configure the keepalive interval at the local. If the peer receives no keepalive packets during the timeout time, the IKE SA is deleted along with the IPsec SAs it negotiated. Follow these guidelines when you configure the IKE keepalive function: 229