HP 6600 Security Configuration Manual page 274
Hide thumbs
Also See for 6600:
- Command reference manual (286 pages) ,
- Configuration manual (236 pages) ,
- Installation and getting started manual (103 pages)
Table of Contents
Advertisement
IPsec policies include the following categories:
•
Manual IPsec policy—The parameters are configured manually, such as the keys, the SPIs, and the
IP addresses of the two ends in tunnel mode.
IPsec policy that uses IKE—The parameters are automatically negotiated through IKE.
•
IPsec GDOI policy—Group members obtain policies that belong to their home GDOI group from
•
the key server. An IPsec GDOI policy defines the traffic to be protected, encryption algorithm,
authentication algorithm, and encapsulation mode.
Configuring a manual IPsec policy
To guarantee successful SA negotiations, follow these guidelines when configuring manual IPsec policies
at the two ends of an IPsec tunnel:
The IPsec policies at the two ends must have IPsec transform sets that use the same security protocols,
•
security algorithms, and encapsulation mode.
•
The remote IP address configured on the local end must be the same as the IP address of the remote
end.
At each end, configure parameters for both the inbound SA and the outbound SA and make sure
•
that different SAs use different SPIs.
•
The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true
of the local outbound SA and remote inbound SA.
The keys for the local and remote inbound and outbound SAs must be in the same format. For
•
example, if the local inbound SA uses a key in characters, the local outbound SA and remote
inbound and outbound SAs must use keys in characters.
Follow these guidelines when you configure an IPsec policy for an IPv6 routing protocol:
You do not need to configure ACLs or IPsec tunnel addresses.
•
Within a certain routed network scope, the IPsec transform sets used by the IPsec policies on all
•
routers must have the same security protocols, security algorithms, and encapsulation mode. For
OSPFv3, the scope can be directly connected neighbors or an OSPFv3 area. For RIPng, the scope
can be directly connected neighbors or a RIPng process. For IPv6 BGP, the scope can be directly
connected neighbors or a neighbor group.
All SAs (both inbound and outbound) within the routed network scope must use the same SPI and
•
keys.
Configure the keys on all routers within the routed network scope in the same format. For example,
•
if you enter the keys in hexadecimal format on one router, do so across the routed network scope.
Before you configure a manual IPsec policy, configure ACLs used for identifying protected traffic and
IPsec transform sets. ACLs are not required for IPsec policies for an IPv6 protocol.
To configure a manual IPsec policy:
Step
1.
Enter system view.
2.
Create a manual IPsec
policy and enter its
view.
Command
system-view
ipsec policy policy-name
seq-number manual
260
Remarks
N/A
By default, no IPsec policy exists.
Advertisement
Table of Contents
Troubleshooting
