Configuring An Ike Proposal - HP 5920 Series Configuration Manual
Hide thumbs
Also See for 5920 Series:
- Command reference manual (607 pages) ,
- Configuration manual (322 pages) ,
- Fc and fcoe configuration manual (257 pages)
Table of Contents
Advertisement
Step
8.
(Optional.) Configure IKE
DPD.
9.
(Optional.) Specify the local
interface or IP address to
which the IKE profile can be
applied.
10.
(Optional.) Specify an inside
VPN instance.
11.
(Optional.) Specify a priority
for the IKE profile.
Configuring an IKE proposal
An IKE proposal defines a set of attributes describing how IKE negotiation in phase 1 should take place.
You can create multiple IKE proposals with different priorities. The priority of an IKE proposal is
represented by its sequence number. The lower the sequence number, the higher the priority.
Two peers must have at least one matching IKE proposal for successful IKE negotiation. During IKE
negotiation:
The initiator sends its IKE proposals to the peer.
•
If the initiator is using an IPsec policy with an IKE profile, the initiator sends all IKE proposals
referenced by the IKE profile to the peer. An IKE proposal specified earlier for the IKE profile has
a higher priority.
If the initiator is using an IPsec policy with no IKE profile, the initiator sends all its IKE proposals
to the peer. An IKE proposal with a smaller number has a higher priority.
The peer searches its own IKE proposals for a match. The search starts from the IKE proposal with
•
the highest priority and proceeds in descending order of priority until a match is found. The
matching IKE proposals are used to establish the IKE SA. If all user-defined IKE proposals are found
mismatching, the two peers use their default IKE proposals to establish the IKE SA.
Two matching IKE proposals have the same encryption algorithm, authentication method, authentication
algorithm, and DH group. The SA lifetime takes the smaller one of the two proposals' SA lifetime settings.
To configure an IKE proposal:
Command
dpd interval interval-seconds [ retry
seconds ] { on-demand | periodic }
match local address { interface-type
interface-number | { ipv4-address |
ipv6 ipv6-address } [ vpn-instance
vpn-name ] }
inside-vpn vpn-instance vpn-name
priority number
255
Remarks
By default, the IKE DPD function
is not configured for an IKE
profile and an IKE profile uses
the DPD settings configured in
system view. If the IKE DPD
function is not configured in
system either, the device does
not perform dead IKE peer
detection.
By default, an IKE profile can be
applied to any local interface or
IP address.
By default, no inside VPN
instance is specified for an IKE
profile, and the device forwards
protected data to the VPN
instance with the same name as
the VPN instance on the
external network.
By default, the priority of an IKE
profile is 100.
- Quick Links:
- Configuration Guide
- Configuring Local Users
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
