HPE FlexNetwork MSR Series Comware 5 Security Configuration Manual page 239
Hide thumbs
Also See for FlexNetwork MSR Series:
- Configuration manual (861 pages) ,
- Comware 7 layer 3 - ip services configuration manuals (554 pages) ,
- Comware 5 layer 2 - wan access configuration manual (420 pages)
Table of Contents
Advertisement
Step
5.
Specify a keyring.
6.
Specify the IKEv2
profile matching criteria.
7.
Specify the PKI
domains.
8.
Configure the DPD
function.
9.
Set the IKEV2 SA
lifetime.
10. Set the IKEv2 NAT
keepalive interval.
11. Enable the device to
accept the IP address
allocation requests from
IKEv2 negotiation
initiators.
12. Enable the device to
send IP address
allocation requests.
Command
keyring keyring-name
match { address local
{ ipv4-address | interface
interface-type interface-number |
ipv6 ipv6-address } | certificate
access-control-policy string |
identity remote { address
{ ipv4-address [ mask-length ] |
ipv6 ipv6-address [ mask ] } | email
email-string | fqdn fqdn-name |
key-id key-id } }
pki domain domain-name [ sign |
verify ]
dpd interval { on-demand |
periodic }
lifetime seconds
nat keepalive seconds
client configuration address
respond
connect auto
226
Remarks
Required when either or both peers
use the pre-shared key
authentication method.
By default, an IKEv2 profile
references no keyring.
An IKEv2 profile can reference only
one keyring.
Required for the device to work as a
responder. When working as the
responder, the device uses these
criteria to search for an IKEv2 profile.
An initiator does not require this
configuration. It uses the IKEv2
profile specified in the IPsec policy.
By default, no IKEv2 profile matching
criterion is configured.
If you specify multiple matching
criteria for an IKEv2 profile, the
match must meet one criterion of
each specified type.
If the local end uses the RSA digital
signature authentication method,
you must configure a PKI domain for
certificate signing on the local end
and a PKI domain for certificate
verification on the remote end.
If the remote end uses the RSA
digital signature authentication
method, you must configure a PKI
domain for certificate signing on the
remote end and a PKI domain for
certificate verification on the local
end.
By default, the existing PKI domains
in the system are used to
authenticate certificates.
Optional.
By default, IKEv2 DPD is disabled.
Optional.
86400 seconds by default.
Optional.
10 seconds by default.
Optional.
By default, the device does not
accept the IP address allocation
requests from initiators.
This configuration is only intended
for an IKEv2 negotiation responder.
Optional.
By default, the device does not send
IP address allocation requests.
This configuration is only intended
for an IKEv2 negotiation initiator.
Advertisement
Table of Contents
Troubleshooting
Need help?
Do you have a question about the FlexNetwork MSR Series and is the answer not in the manual?