Configuring An Ike-Based Ipsec Policy - HP VSR1000 Security Configuration Manual
Virtual services router
Hide thumbs
Also See for VSR1000:
- Configuration manual (463 pages) ,
- High availability configuration manual (91 pages) ,
- Layer 2 - wan access command reference (50 pages)
Table of Contents
Advertisement
Step
8.
Configure keys for the
IPsec SA.
Configuring an IKE-based IPsec policy
In an IKE-based IPsec policy, the parameters are automatically negotiated through IKE.
To configure an IKE-based IPsec policy, use one of the following methods:
Directly configure it by configuring the parameters in IPsec policy view.
•
Configure it by referencing an existing IPsec policy template with the parameters to be negotiated
•
configured.
A device referencing an IPsec policy that is configured in this way cannot initiate an SA
negotiation, but it can respond to a negotiation request. The parameters not defined in the
template are determined by the initiator. When the remote end's information (such as the IP
address) is unknown, this method allows the remote end to initiate negotiations with the local end.
Configuration restrictions and guidelines
When you configure an IKE-based IPsec policy, make sure the IPsec configuration at the two ends of an
IPsec tunnel meets the following requirements:
•
The IPsec policies at the two tunnel ends must have IPsec transform sets that use the same security
protocols, security algorithms, and encapsulation mode.
The IPsec policies at the two tunnel ends must have the same IKE profile parameters.
•
Command
•
Configure an authentication
key in hexadecimal format for
AH:
sa hex-key authentication
{ inbound | outbound } ah
{ cipher | simple } key-value
•
Configure an authentication
key in character format for AH:
sa string-key { inbound |
outbound } ah { cipher |
simple } key-value
•
Configure a key in character
format for ESP:
sa string-key { inbound |
outbound } esp { cipher |
simple } key-value
•
Configure an authentication
key in hexadecimal format for
ESP:
sa hex-key authentication
{ inbound | outbound } esp
{ cipher | simple } key-value
•
Configure an encryption key in
hexadecimal format for ESP:
sa hex-key encryption
{ inbound | outbound } esp
{ cipher | simple } key-value
183
Remarks
By default, no keys are configured for the
IPsec SA.
Configure keys correctly for the security
protocol (AH, ESP, or both) you have
specified in the IPsec transform set
referenced by the IPsec policy.
If you configure a key in both the
character and the hexadecimal formats,
only the most recent configuration takes
effect.
If you configure a key in character format
for ESP, the device automatically
generates an authentication key and an
encryption key for ESP.
- Quick Links:
- Configuring the Device as an Ssh...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
