HP MSR2000 Configuration Manual page 194
Hide thumbs
Also See for MSR2000:
- Configuration manual (455 pages) ,
- Manual (73 pages) ,
- High availability configuration manual (91 pages)
Table of Contents
Advertisement
a.
First, the device examines the existence of the match local address command. An IKE profile
with the match local address command configured has a higher priority.
b.
If a tie exists, the device compares the priority numbers. An IKE profile with a smaller priority
number has a higher priority.
c.
If a tie still exists, the device prefers an IKE profile configured earlier.
To configure an IKE profile:
Step
1.
Enter system view.
2.
Create an IKE profile and
enter its view.
3.
Configure a peer ID.
4.
Specify the keychain for
pre-shared key
authentication or the PKI
domain used to request a
certificate for digital
signature authentication.
5.
Specify the IKE negotiation
mode for phase 1.
6.
Specify the IKE proposals for
the IKE profile to reference.
7.
Configure the local ID.
Command
system-view
ike profile profile-name
match remote { certificate policy-name
| identity { address { { ipv4-address
[ mask | mask-length ] | range
low-ipv4-address high-ipv4-address } |
ipv6 { ipv6-address [ prefix-length ] |
range low-ipv6-address
high-ipv6-address } } [ vpn-instance
vpn-name ] | fqdn fqdn-name |
user-fqdn user-fqdn-name } }
•
To specify the keychain for
pre-shared key authentication:
keychain keychain-name
•
To specify the PKI domain used to
request a certificate for digital
signature authentication:
certificate domain domain-name
•
In non-FIPS mode:
exchange-mode { aggressive |
main }
•
In FIPS mode:
exchange-mode main
proposal proposal-number&<1-6>
local-identity { address { ipv4-address
| ipv6 ipv6-address } | dn | fqdn
[ fqdn-name ] | user-fqdn
[ user-fqdn-name ] }
183
Remarks
N/A
By default, no IKE profile is
configured.
By default, an IKE profile has no
peer ID.
Each of the two peers must have
at least one peer ID configured.
Configure either or both of the
commands as required.
By default, no IKE keychain or
PKI domain is specified for an
IKE profile.
By default, the main mode is
used during IKE negotiation
phase 1.
By default, an IKE profile
references no IKE proposals
and uses the IKE proposals
configured in system view for
IKE negotiation.
By default, no local ID is
configured for an IKE profile,
and an IKE profile uses the local
ID configured in system view. If
the local ID is not configured in
system view either, the IKE
profile uses the IP address of the
interface to which the IPsec
policy or IPsec policy template
is applied as the local ID.
Advertisement
Table of Contents
Troubleshooting
