R3303-HP HSR6800 Routers Security Configuration Guide
75
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Create a GDOI GM group
and enter GDOI GM
group view.
gdoi gm group group-name
By default, no GDOI GM group
exists.
3. Configure a GDOI GM
group ID.
identity { address ip-address | number
number }
Specify an IP address or a
number as the group ID.
By default, no GDOI GM group
ID is specified.
4. Configure a KS address.
server address ip-address
By default, no KS address is
specified.
5. Configure a registration
interface.
client registration interface
interface-type interface-number
Optional.
By default, the registration
interface is the output interface
of the route from the GM to the
KS.
Configuring a GDOI IPsec policy
A GDOI IPsec policy can comprise multiple entries. The GDOI IPsec policy is identified by a name and
each entry is identified by a sequence number. A smaller sequence number represents a higher priority.
Perform this task to configure a GDOI IPsec policy and reference a GDOI GM group and a local ACL for
each entry. The GDOI GM group gives the KS addresses and group ID used by the GM for registration.
The ACL is used to filter packets. Packets matching a permit rule of the local ACL are discarded. Packet
matching a deny rule are forwarded in plain text.
After the GM successfully registers with a KS, the KS assigns a security policy that contains an ACL. The
GM uses this assigned ACL to determine packet encryption. Packets matching a permit rule of the
downloaded ACL are encrypted. Packets matching a deny rule are forwarded in plain text. Packets that
do not match any rule are forwarded in plain text.
The GM first uses the local ACL to match packets and then uses the downloaded ACL to match packets
that do not match the local ACL. Packets that fail to match the local and downloaded ACLs are forwarded
in plain text.
IPsec packets whose destination address is the local device do not match against the local ACL in the
GDOI IPsec policy. They only match against the downloaded ACL.
A GDOI IPsec policy does not apply to GDOI protocol packets or non-first fragments.
To configure a GDOI IPsec policy:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Create a GDOI IPsec policy
entry and enter GDOI IPsec
policy entry view.
ipsec policy policy-name seq-number
gdoi
By default, no GDOI IPsec policy
exists.