Manualshelf

R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution
471472473474475476477478479480
74
Task Command
Clear GDOI information for GMs and initiate
registrations.
reset gdoi [ group group-name ]
Enforce rekey. gdoi ks rekey [ group group-name ]
Configuring the GDOI GM
The GDOI GM needs IKE settings that include an IKE proposal and an IKE peer used for phase-1 IKE
negotiation. The IKE peer is identified by the IP address of the KS. For information about IKE
configuration, see "Configuring IKE."
GDOI GM configuration task list
Task Remarks
Configuring a GDOI GM group Required.
Configuring a GDOI IPsec policy Required.
Applying a GDOI IPsec policy to an interface Required.
Configuring a GDOI GM group
You can configure multiple GDOI GM groups on a GM. Different GDOI GM groups must have different
KS addresses and group IDs.
A GDOI GM group includes the following information that the GM uses to register with a KS:
Group name—Identifies the GDOI GM group on the GM, used for local management and
reference.
Group ID—Identifies the GDOI GM group in the group domain VPN. The KS uses the group ID to
identify the GDOI GM group that the requesting GM wants to join. A GDOI GM group can have
only one group ID that is a group number or an IP address.
KS address—Identifies the IP address of a KS with which the GM registers. A GDOI GM group can
have up to eight KS addresses. The GM first sends a registration request to the first-specified KS. If
the registration does not succeed before the register timer expires, the GM registers with other KSs
one by one in the order they are configured until the registration succeeds. If all registration
attempts fail, the GM repeats the registration process.
Registration interface—The GM uses the registration interface to send packets to the KS. By default,
the registration interface of a GM is the output interface of the route from the GM to the KS.
Follow these guidelines when you configure a GDOI GM group:
A GDOI GM group can have only one group ID. A newly configured group ID overwrites the
previous one.
Different GDOI GM groups must have different group IDs and KS addresses.
To configure a GDOI GM group: