Configuring An Ike Profile - HPE FlexNetwork 10500 Series Security Configuration Manual

Tasks at a glance
(Optional.) Configuring the global identity information
(Optional.) Configuring the IKE keepalive feature
(Optional.) Configuring the IKE NAT keepalive feature
(Optional.) Configuring IKE DPD
(Optional.) Enabling invalid SPI recovery
(Optional.) Setting the maximum number of IKE SAs
(Optional.) Configuring an IKE IPv4 address pool
(Optional.) Configuring SNMP notifications for IKE

Configuring an IKE profile

An IKE profile is intended to provide a set of parameters for IKE negotiation. To configure an IKE
profile, perform the following tasks:
1. Configure peer IDs. When an end needs to select an IKE profile, it compares the received peer
ID with the peer IDs of its local IKE profiles. If a match is found, it uses the IKE profile with the
matching peer ID for IKE negotiation.
2. Configure the IKE keychain or PKI domain for the IKE proposals to use:
To use digital signature authentication, configure a PKI domain.

To use pre-shared key authentication, configure an IKE keychain.

3. Specify the negotiation mode (main or aggressive) that the device uses as the initiator. When
the device acts as the responder, it uses the IKE negotiation mode of the initiator.
4. Specify the IKE proposals that the device can use as the initiator. An IKE proposal specified
earlier has a higher priority. When the device acts as the responder, it uses the IKE proposals
configured in system view to match the IKE proposals received from the initiator. If a match is
not found, the negotiation fails.
5. Configure the local ID, the ID that the device uses to identify itself to the peer during IKE
negotiation:
For digital signature authentication, the device can use an ID of any type. If the local ID is an

IP address that is different from the IP address in the local certificate, the device uses the
FQDN (the device name configured by using the sysname command) instead.
For pre-shared key authentication, the device can use an ID of any type other than the DN.

6. Configure IKE DPD to detect dead IKE peers. You can also configure this feature in system
view. The IKE DPD settings configured in the IKE profile view takes precedence over those
configured in system view.
7. Specify a local interface or IP address for the IKE profile so the profile can be applied only to the
specified interface or IP address. For this task, specify the local address configured in IPsec
policy or IPsec policy template view (using the local-address command). If no local address is
configured, specify the IP address of the interface that uses the IPsec policy.
8. Specify an inside VPN instance. This setting determines where the device should forward
received IPsec protected data. If you specify an inside VPN instance, the device looks for a
route in the specified VPN instance to forward the data. If you do not specify an inside VPN
instance, the device looks for a route in the VPN instance where the receiving interface resides
to forward the data.
9. Specify a priority number for the IKE profile. To determine the priority of an IKE profile:
a. First, the device examines the existence of the match local address command. An IKE
profile with the match local address command configured has a higher priority.
Remarks
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
360