HP MSR Series Configuration Manual page 380

5. Specify a local interface or IP address for the IKEv2 profile so the profile can be applied only to
the specified interface or IP address. For this task, specify the local address configured in IPsec
policy or IPsec policy template view (using the local-address command). If no local address is
configured, specify the IP address of the interface that uses the IPsec policy.
6. Specify a priority number for the IKEv2 profile. To determine the priority of an IKEv2 profile:
a. First, the device examines the existence of the match local command. An IKEv2 profile
with the match local command configured has a higher priority.
b. If a tie exists, the device compares the priority numbers. An IKEv2 profile with a smaller
priority number has a higher priority.
c. If a tie still exists, the device prefers an IKEv2 profile configured earlier.
7. Specify a VPN instance for the IKEv2 profile. The IKEv2 profile is used for IKEv2 negotiation
only on the interfaces that belong to the VPN instance.
8. Configure the IKEv2 SA lifetime.
The local and remote ends can use different IKEv2 SA lifetimes. They do not negotiate the
lifetime. The end with a smaller SA lifetime will initiate an SA negotiation when the lifetime
expires.
9. Configure IKEv2 DPD to detect dead IKEv2 peers. You can also configure this feature in
system view. If you configure IKEv2 DPD in both views, the IKEv2 DPD settings in IKEv2 profile
view apply. If you do not configure IKEv2 DPD in IKEv2 profile view, the IKEv2 DPD settings in
system view apply.
10. Specify an inside VPN instance. This setting determines where the device should forward
received IPsec packets after it de-encapsulates them. If you specify an inside VPN instance,
the device looks for a route in the specified VPN instance to forward the packets. If you do not
specify an inside VPN instance, the internal and external networks are in the same VPN
instance. The device looks for a route in this VPN instance to forward the packets.
11. Configure the NAT keepalive interval.
Configure this task when the device is behind a NAT gateway. The device sends NAT keepalive
packets regularly to its peer to prevent the NAT session from being aged because of no
matching traffic.
12. Enable the configuration exchange feature.
The configuration exchange feature enables the local and remote ends to exchange
configuration data, such as gateway address, internal IP address, and route. The exchange
includes data request and response, and data push and response.
This feature typically applies to scenarios where branches and the headquarters communicate
through virtual tunnels.
This feature enables the IPsec gateway at a branch to send IP address requests to the IPsec
gateway at the headquarters. When the headquarters receives the request, it sends an IP
address to the branch in the response packet. The headquarters can also actively push an IP
address to the branch. The branch uses the allocated IP address as the IP address of the virtual
tunnel to communicate with the headquarters.
13. Enable AAA authorization.
The AAA authorization feature enables IKEv2 to request authorization attributes, such as the
IKEv2 address pool, from AAA. IKEv2 uses the address pool to assign IP addresses to remote
users. For more information about AAA authorization, see
To configure an IKEv2 profile:
Step
1. Enter system view.
2. Create an IKEv2 profile
and enter IKEv2 profile
view.
Command
system-view
ikev2 profile profile-name
365
"Configuring AAA."
Remarks
N/A
By default, no IKEv2 profiles exist.