Configuring The Gdoi Ks; Gdoi Ks Configuration Task List; Configuring Basic Settings For A Gdoi Ks Group - HPE FlexNetwork MSR Series Comware 5 Security Configuration Manual
Hide thumbs
Also See for FlexNetwork MSR Series:
- Configuration manual (861 pages) ,
- Comware 7 layer 3 - ip services configuration manuals (554 pages) ,
- Comware 5 layer 2 - wan access configuration manual (420 pages)
Table of Contents
Advertisement
The IKE settings on the primary and secondary KSs must match. Otherwise, phase-1 IKE
negotiation will fail.
Configuring the GDOI KS
Complete the following tasks before you configure the GDOI KS:
•
IKE configuration—Configure an IKE proposal and IKE peers for phase-1 IKE negotiation with
GMs. Each IKE peer is identified by the address of the GM's registration interface. If KS
redundancy is needed, you must configure an IKE proposal and IKE peers for phase-1 IKE
negotiation with other KSs. Each IKE peer is identified by the address of the KS. For more
information about IKE, see "Configuring IKE."
•
IPsec configuration—Configure an IPsec profile for TEK generation. For more information
about IPsec, see "Configuring IPsec."
•
ACL configuration—Configure an ACL to match the traffic protected by TEK and specify the
source and destination addresses for multicast rekey messages.
GDOI KS configuration task list
Task
Configuring basic settings for a GDOI KS group
Configuring GDOI KS redundancy
Specifying the source address for packets sent by the KS
Configuring rekey parameters
Configuring basic settings for a GDOI KS group
A device supports multiple GDOI KS groups. A GDOI KS group includes all settings required by a KS
in the group. The following describes basic GDOI KS group settings:
•
Group name—Identifies the GDOI KS group on the device.
•
Group ID—Identifies the GDOI KS group in the Group Domain VPN. A KS uses the group ID
received from a GM to determine the GDOI KS group that the GM wants to join. Each group can
have only one group ID, which must be a group number or an IP address.
•
Key pair—Used to generate local asymmetric key pairs carried in rekey messages. Each GDOI
KS group can reference only one key pair. The public key in the key pair is used as part of the
KEK assigned to GMs. A GM uses the public key to authenticate the KS.
•
Rekey ACL—Specifies the source and destination addresses for multicast rekey messages.
Each GDOI KS group can reference only one rekey ACL.
•
IPsec policy—Includes an IPsec profile for TEK protection and an ACL that identifies the traffic
to be protected.
Follow these guidelines when you configure basic settings for a GDOI KS group:
•
A GDOI KS group can have only one group ID. A newly configured group ID overwrites the
previous one.
•
Different GDOI KS groups must have different group IDs.
•
The GDOI KSs that back up each other must reference the same key pair. As a result, you must
make sure the GDOI KSs locally have the same key pair. You can export the local key pair from
Remarks
Required.
Optional.
Required.
Optional.
457
Advertisement
Table of Contents
Troubleshooting
Need help?
Do you have a question about the FlexNetwork MSR Series and is the answer not in the manual?