HPE FlexFabric 7900 Series Security Configuration Manual page 5
Hide thumbs
Also See for FlexFabric 7900 Series:
- Layer 3 ip routing command reference (414 pages) ,
- Security configuration manual (323 pages) ,
- Security command reference (320 pages)
Table of Contents
Advertisement
SSL protocol stack ··································································································································· 99
Feature and software version compatibility ···································································································· 100
FIPS compliance ············································································································································ 100
SSL configuration task list ······························································································································ 100
Configuring an SSL server policy ··················································································································· 100
Configuring an SSL client policy ···················································································································· 102
Displaying and maintaining SSL ···················································································································· 103
Configuring IPsec ························································································ 104
Overview ························································································································································ 104
Security protocols and encapsulation modes ························································································· 104
Security association ······························································································································· 106
Authentication and encryption ················································································································ 106
IPsec implementation ····························································································································· 107
Protocols and standards ························································································································ 107
IPsec tunnel establishment ···························································································································· 108
Implementing ACL-based IPsec ···················································································································· 108
Feature restrictions and guidelines ········································································································ 108
ACL-based IPsec configuration task list ································································································· 108
Configuring an ACL ································································································································ 109
Configuring an IPsec transform set ········································································································ 110
Configuring a manual IPsec policy ········································································································· 111
Configuring an IKE-based IPsec policy ·································································································· 112
Applying an IPsec policy to an interface ································································································ 114
Enabling ACL checking for de-encapsulated packets ············································································ 115
Configuring the IPsec anti-replay function ····························································································· 115
Binding a source interface to an IPsec policy ························································································ 116
Enabling QoS pre-classify ······················································································································ 116
Enabling logging of IPsec packets ········································································································· 117
Configuring the DF bit of IPsec packets ································································································· 117
Configuring SNMP notifications for IPsec ······································································································ 118
Displaying and maintaining IPsec ·················································································································· 118
IPsec configuration examples ························································································································ 119
Configuring a manual mode IPsec tunnel for IPv4 packets ··································································· 119
Configuring an IKE-based IPsec tunnel for IPv4 packets ······································································ 121
Configuring IKE ··························································································· 125
Overview ························································································································································ 125
IKE negotiation process ························································································································· 125
IKE security mechanism ························································································································· 126
Protocols and standards ························································································································ 127
IKE configuration prerequisites ······················································································································ 127
IKE configuration task list ······························································································································· 127
Configuring an IKE profile ······························································································································ 128
Configuring an IKE proposal ·························································································································· 129
Configuring an IKE keychain ·························································································································· 131
Configuring the global identity information ····································································································· 131
Configuring the IKE keepalive function ·········································································································· 132
Configuring the IKE NAT keepalive function ·································································································· 132
Configuring IKE DPD ····································································································································· 133
Enabling invalid SPI recovery ························································································································ 133
Setting the maximum number of IKE SAs ······································································································ 134
Configuring SNMP notifications for IKE ········································································································· 134
Displaying and maintaining IKE ····················································································································· 135
Main mode IKE with pre-shared key authentication configuration example ·················································· 135
Network requirements ···························································································································· 135
Configuration procedure ························································································································· 135
Verifying the configuration ······················································································································ 138
Troubleshooting IKE ······································································································································ 138
IKE negotiation failed because no matching IKE proposals were found ················································ 138
IKE negotiation failed because no IKE proposals or IKE keychains are referenced correctly ··············· 138
IPsec SA negotiation failed because no matching IPsec transform sets were found ···························· 139
iii
Advertisement
Table of Contents
Troubleshooting
