Configuring An Ikev2 Profile - HP MSR Series Configuration Manual
Hpe flexnetwork msr router series
Hide thumbs
Also See for MSR Series:
- Configuration manual (889 pages) ,
- Command reference manual (684 pages) ,
- Wan access configuration manual (293 pages)
Table of Contents
Advertisement
•
The strength of the algorithms for IKEv2 negotiation, including the encryption algorithms,
integrity protection algorithms, PRF algorithms, and DH groups. Different algorithms provide
different levels of protection. A stronger algorithm means better resistance to decryption of
protected data but requires more resources. Typically, the longer the key, the stronger the
algorithm.
•
The local and remote identity authentication methods.
To use the pre-shared key authentication method, you must determine the pre-shared key.
To use the RSA digital signature authentication method, you must determine the PKI
domain for the local end to use. For information about PKI, see
To configure IKEv2, perform the following tasks:
Tasks at a glance
(Required.)
(Required.)
(Optional.)
Configuring an IKEv2 proposal
Configuring an IKEv2 keychain
Configure global IKEv2 parameters
•
(Optional.)
•
(Optional.)
•
(Optional.)
•
(Optional.)
Configuring an IKEv2 profile
An IKEv2 profile is intended to provide a set of parameters for IKEv2 negotiation. To configure an
IKEv2 profile, perform the following tasks:
1.
Specify the local and remote identity authentication methods.
The local and remote identity authentication methods must both be specified and they can be
different. You can specify only one local identity authentication method and multiple remote
identity authentication methods.
2.
Configure the IKEv2 keychain or PKI domain for the IKEv2 profile to use:
To use digital signature authentication, configure a PKI domain.
To use pre-shared key authentication, configure an IKEv2 keychain.
3.
Configure the local ID, the ID that the device uses to identify itself to the peer during IKEv2
negotiation:
For digital signature authentication, the device can use an ID of any type. If the local ID is an
IP address that is different from the IP address in the local certificate, the device uses the
FQDN as the local ID. The FQDN is the device name configured by using the sysname
command.
For pre-shared key authentication, the device can use an ID of any type other than the DN.
4.
Configure peer IDs.
The device compares the received peer ID with the peer IDs of its local IKEv2 profiles. If a
match is found, it uses the IKEv2 profile with the matching peer ID for IKEv2 negotiation. IKEv2
profiles will be compared in descending order of their priorities.
Configuring an IKEv2 profile
Configuring an IKEv2 policy
Enabling the cookie challenging feature
Configuring the IKEv2 DPD feature
Configuring the IKEv2 NAT keepalive feature
Configuring IKEv2 address pools
Remarks
N/A
N/A
If you specify an IKEv2 proposal in an
IKEv2 policy, you must configure the
IKEv2 proposal.
Required when either end or both ends
use the pre-shared key authentication
method.
The cookie challenging feature takes
effect only on IKEv2 responders.
364
"Configuring
PKI."
- Quick Links:
- Configuring Local Users
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
