HPE FlexNetwork 10500 Series Security Configuration Manual page 378
Hide thumbs
Also See for FlexNetwork 10500 Series:
- Security command reference (881 pages) ,
- Network management and monitoring command reference (423 pages) ,
- Configuration manual (407 pages)
Table of Contents
Advertisement
b. If a tie exists, the device compares the priority numbers. An IKE profile with a smaller priority
number has a higher priority.
c. If a tie still exists, the device prefers an IKE profile configured earlier.
10. Enable client authentication.
Client authentication enables an IPsec gateway to perform extended (XAUTH) authentication
on remote users through AAA after IKE phase-1 negotiation. Remote users who provide the
correct username and password pass the authentication and continue with the IKE phase-2
negotiation. AAA configuration is also required on the IPsec gateway for client authentication.
For more information about AAA, see
11. Enable AAA authorization.
The AAA authorization feature enables IKE to request authorization attributes, such as the IKE
IPv4 address pool, from AAA. IKE uses the address pool to assign IPv4 addresses to remote
users. For more information about AAA authorization, see
To configure an IKE profile:
Step
1.
Enter system view.
2.
Create an IKE profile and
enter its view.
3.
Configure a peer ID.
4.
Specify the keychain for
pre-shared key
authentication or the PKI
domain used to request a
certificate for digital
signature authentication.
5.
Specify the IKE negotiation
mode for phase 1.
6.
Specify IKE proposals for
the IKE profile.
"Configuring
Command
system-view
ike profile profile-name
match remote { certificate
policy-name | identity { address
{ { ipv4-address [ mask | mask-length ]
| range low-ipv4-address
high-ipv4-address } | ipv6
{ ipv6-address [ prefix-length ] | range
low-ipv6-address
high-ipv6-address } } [ vpn-instance
vpn-instance-name ] | fqdn
fqdn-name | user-fqdn
user-fqdn-name } }
•
To specify the keychain for
pre-shared key authentication:
keychain keychain-name
•
To specify the PKI domain used
to request a certificate for digital
signature authentication:
certificate domain
domain-name
•
In non-FIPS mode:
exchange-mode { aggressive |
main }
•
In FIPS mode:
exchange-mode main
proposal proposal-number&<1-6>
361
AAA."
"Configuring
AAA."
Remarks
N/A
By default, no IKE profiles
exist.
By default, an IKE profile has
no peer ID.
Each of the two peers must
have at least one peer ID
configured.
Configure at least one
command as required.
By default, no IKE keychain or
PKI domain is specified for an
IKE profile.
By default, the main mode is
used during IKE negotiation
phase 1.
By default, no IKE proposals
are specified for an IKE profile
and the IKE proposals
configured in system view are
used for IKE negotiation.
Advertisement
Table of Contents
Troubleshooting
