R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

461

462

463

464

465

466

467

468

469

470

Ste

Command

Remarks

3. Configure an ID for the

GDOI KS group.

identity { address ip-address | number

number }

Specify an IP address or a

number as the group ID.

By default, no GDOI group ID is

specified.

4. Reference a key pair for KS

rekey.

rekey authentication public-key rsa

key-name

By default, no key pair is

referenced.

5. Specify a rekey ACL.

rekey acl { acl-number | name

acl-name }

By default, no rekey ACL is

specified.

6. Create an IPsec policy for

the GDOI KS group and

enter GDOI KS group IPsec

policy view.

ipsec sequence-number

No IPsec policy is created.

You can configure multiple IPsec

policies for a GDOI KS group.

7. Reference an IPsec profile

for the IPsec policy.

profile ipsec-profile-name

By default, no IPsec profile is

referenced.

8. Reference an ACL for the

IPsec policy.

security acl { acl-number | name

acl-name}

By default, no ACL is referenced.

Configuring GDOI KS redundancy

GDOI KS redundancy can be used to achieve KS high availability and load sharing. The following

describes GDOI KS redundancy settings:

• UDP port number—Specifies the UDP port number that a GDOI KS uses to send and receive

redundancy protocol packets to and from other KSs. All KSs in the same GDOI KS group must use

the same UDP port number.

• Peer address—Specifies the IP address of a peer KS.

• Local priority—Specifies the priority of the local KS for primary KS election. A greater value

indicates a higher priority. If multiple KSs have the same priority, the KS with the highest IP address

is elected as the primary KS.

• Redundancy enable—Enables GDOI KS redundancy.

• Redundancy hello—Configures the following settings:

{ Redundancy hello packet sending interval for the primary KS.

{ Maximum number of consecutive failures allowed in receiving redundancy hello packets

before the secondary KS considers itself to be disconnected from the primary KS.

Configure the redundancy hello parameters reasonably to make the secondary KS timely know the

primary KS keepalive status.

• Redundancy retransmit—Specifies redundancy protocol packet (expect hello packet)

retransmission interval and the number of retransmissions.

Follow these guidelines when you configure GDOI KS redundancy:

• The KSs for KS redundancy must have the same KS group configuration expect peer IP address,

local priority, and source address of outgoing KS packets.

• In a GDOI KS group, you must specify the IP addresses of all peer KSs that back up the local KS.

• The IP address of a peer KS specified on the local KS must be the same as the source address that

the peer KS uses to send redundancy protocol packets.