HPE FlexNetwork MSR Series Configuration Manual page 9

Authentication and encryption ······························································································ 341
IPsec implementation ········································································································· 342
IPsec RRI ························································································································ 344
Protocols and standards ····································································································· 345
FIPS compliance ······················································································································ 345
IPsec tunnel establishment ········································································································ 345
Implementing ACL-based IPsec ·································································································· 346
Configuring an ACL ··········································································································· 347
Configuring an IPsec transform set ······················································································· 350
Configuring a manual IPsec policy ························································································ 352
Configuring an IKE-based IPsec policy ·················································································· 354
Applying an IPsec policy to an interface ················································································· 357
Enabling ACL checking for de-encapsulated packets ······························································· 358
Configuring IPsec anti-replay ······························································································· 358
Configuring IPsec anti-replay redundancy ·············································································· 359
Binding a source interface to an IPsec policy ·········································································· 360
Enabling QoS pre-classify ··································································································· 360
Enabling logging of IPsec packets ························································································ 361
Configuring the DF bit of IPsec packets ················································································· 361
Configuring IPsec RRI ········································································································ 362
Configuring IPsec for IPv6 routing protocols ·················································································· 363
Configuration task list ········································································································· 363
Configuring a manual IPsec profile ······················································································· 363
Configuring IPsec for tunnels······································································································ 365
Configuration task list ········································································································· 365
Configuring an IKE-based IPsec profile ················································································· 365
Applying an IKE-based IPsec profile to a tunnel interface ·························································· 366
Configuring SNMP notifications for IPsec ······················································································ 367
Configuring IPsec fragmentation ································································································· 367
Setting the maximum number of IPsec tunnels ·············································································· 368
Enabling logging for IPsec negotiation·························································································· 368
Displaying and maintaining IPsec ································································································ 368
IPsec configuration examples ····································································································· 369
Configuring a manual mode IPsec tunnel for IPv4 packets ························································ 369
Configuring an IKE-based IPsec tunnel for IPv4 packets ··························································· 372
Configuring an IKE-based IPsec tunnel for IPv6 packets ··························································· 376
Configuring IPsec for RIPng ································································································ 379
Configuring IPsec RRI ········································································································ 382
Configuring IPsec tunnel interface-based IPsec for IPv4 packets ················································ 386
Configuring IKE ··········································································· 391
Overview ································································································································ 391
IKE negotiation process ······································································································ 391
IKE security mechanism ····································································································· 392
Protocols and standards ····································································································· 393
FIPS compliance ······················································································································ 393
IKE configuration prerequisites ··································································································· 393
IKE configuration task list ·········································································································· 393
Configuring an IKE profile ·········································································································· 394
Configuring an IKE proposal ······································································································· 396
Configuring an IKE keychain ······································································································ 397
Configuring the global identity information ····················································································· 398
Configuring the IKE keepalive feature ·························································································· 399
Configuring the IKE NAT keepalive feature ··················································································· 399
Configuring IKE DPD ················································································································ 400
Enabling invalid SPI recovery ····································································································· 400
Setting the maximum number of IKE SAs ····················································································· 401
Configuring an IKE IPv4 address pool ·························································································· 401
Configuring SNMP notifications for IKE ························································································ 402
Enabling logging for IKE negotiation ···························································································· 402
Displaying and maintaining IKE ·································································································· 402
IKE configuration examples ········································································································ 403
vii