HPE FlexNetwork MSR Series Comware 5 Security Configuration Manual page 7

Configuring a DPD detector ··························································································································· 208
Disabling next payload field checking ············································································································ 208
Displaying and maintaining IKE ····················································································································· 209
IKE configuration examples ··························································································································· 209
Configuring main mode IKE with pre-shared key authentication ··························································· 209
Configuring aggressive mode IKE with NAT traversal ··········································································· 213
Troubleshooting IKE ······································································································································ 216
Invalid user ID ········································································································································ 216
Proposal mismatch ································································································································· 217
Failed to establish an IPsec tunnel ········································································································ 217
ACL configuration error ·························································································································· 218
Configuring IKEv2 ······················································································· 219
Overview ························································································································································ 219
New features in IKEv2 ···························································································································· 219
Protocols and standards ························································································································ 220
IKEv2 configuration task list ··························································································································· 220
Configuring global IKEv2 parameters ············································································································ 221
Configuring the cookie challenging function ··························································································· 221
Configuring the IKEv2 DPD function ······································································································ 221
Setting limits on the number of IKEv2 SAs ···························································································· 222
Configuring an address pool for assigning addresses to initiators ························································· 222
Configuring an IKEv2 proposal ······················································································································ 223
Configuring an IKEv2 policy ··························································································································· 223
Configuring an IKEv2 keyring ························································································································ 224
Configuring an IKEv2 profile ·························································································································· 225
Displaying and maintaining IKEv2 ················································································································· 227
IKEv2 configuration examples ······················································································································· 227
Configuring IKEv2 pre-shared key authentication ·················································································· 227
Configuring IKEv2 certificate authentication ·························································································· 233
Troubleshooting IKEv2 ··································································································································· 240
No matching IKEv2 proposal found ········································································································ 240
IPsec tunnels cannot be set up ·············································································································· 240
Configuring PKI ··························································································· 241
Overview ························································································································································ 241
PKI terminology ······································································································································ 241
PKI architecture ······································································································································ 242
PKI operation ········································································································································· 242
PKI applications ····································································································································· 243
FIPS compliance ············································································································································ 243
PKI configuration task list ······························································································································· 243
Configuring an entity DN ································································································································ 244
Configuring a PKI domain ······························································································································ 245
Requesting a PKI certificate ··························································································································· 246
Configuring automatic certificate request ······························································································· 247
Manually requesting a certificate ············································································································ 248
Retrieving a certificate manually ···················································································································· 249
Verifying PKI certificates ································································································································ 249
Verifying certificates with CRL checking ································································································ 250
Verifying certificates without CRL checking ··························································································· 250
Destroying the local RSA key pair ················································································································· 250
Deleting a certificate ······································································································································ 251
Configuring a certificate access control policy ······························································································· 251
Displaying and maintaining PKI ····················································································································· 252
PKI configuration examples ··························································································································· 252
Certificate request from an RSA Keon CA server ·················································································· 252
Certificate request from a Windows 2003 CA server ············································································· 255
IKE negotiation with RSA digital signature ····························································································· 258
Certificate access control policy configuration example ········································································· 260
Troubleshooting PKI configurationTroubleshooting PKI configuration ··························································· 262
Failed to obtain the CA certificate ·········································································································· 262
vi