Configuring A Manual Ipsec Policy - HP VSR1000 Security Configuration Manual
Virtual services router
Hide thumbs
Also See for VSR1000:
- Configuration manual (463 pages) ,
- High availability configuration manual (91 pages) ,
- Layer 2 - wan access command reference (50 pages)
Table of Contents
Advertisement
Step
6.
(Optional.) Enable the
Perfect Forward Secrecy
(PFS) feature for the IPsec
policy.
Configuring a manual IPsec policy
In a manual IPsec policy, the parameters are configured manually, such as the keys, the SPIs, and the IP
addresses of the two ends in tunnel mode.
Configuration restrictions and guidelines
When you configure a manual IPsec policy, make sure the IPsec configuration at the two ends of an IPsec
tunnel meets the following requirements:
The IPsec policies at the two ends must have IPsec transform sets that use the same security protocols,
•
security algorithms, and encapsulation mode.
•
The remote IPv4 address configured on the local end must be the same as the primary IPv4 address
of the interface applied with the IPsec policy at the remote end. The remote IPv6 address configured
on the local end must be the same as the first IPv6 address of the interface applied with the IPsec
policy at the remote end.
At each end, configure parameters for both the inbound SA and the outbound SA, and make sure
•
the SAs in each direction are unique: For an outbound SA, make sure its triplet (remote IP address,
security protocol, and SPI) is unique. For an inbound SA, make sure its SPI is unique.
The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true
•
of the local outbound SA and remote inbound SA.
•
The keys for the local and remote inbound and outbound SAs must be in the same format. For
example, if the local inbound SA uses a key in characters, the local outbound SA and remote
inbound and outbound SAs must use keys in characters.
Configuration procedure
To configure a manual IPsec policy:
Step
1.
Enter system view.
2.
Create a manual IPsec
policy entry and enter its
view.
Command
•
In non-FIPS mode:
pfs { dh-group1 | dh-group2 |
dh-group5 | dh-group14 |
dh-group24 }
•
In FIPS mode:
pfs dh-group14
Command
system-view
ipsec { ipv6-policy | policy }
policy-name seq-number manual
181
Remarks
By default, the PFS feature is not
used for SA negotiation.
For more information about PFS,
see
"Configuring
IKE."
The security level of the
Diffie-Hellman (DH) group of the
initiator must be higher than or
equal to that of the responder.
The end without the PFS feature
performs SA negotiation according
to the PFS requirements of the peer
end.
Remarks
N/A
By default, no IPsec policy exists.
- Quick Links:
- Configuring the Device as an Ssh...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
