Manualshelf

R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution
471472473474475476477478479480
77
Task Command
Display the GDOI GM group
information.
display gdoi gm [ group group-name ] [ | { begin | exclude | include }
regular-expression ]
Display information about IPsec
SAs obtained by the GM.
display gdoi gm ipsec sa [ group group-name ] [ | { begin | exclude |
include } regular-expression ]
Display brief information of the
GM.
display gdoi gm members [ group group-name ] [ | { begin | exclude |
include } regular-expression ]
Display the ACL information of the
GM.
display gdoi gm acl [ download | local ] [ group group-name ] [ | { begin
| exclude | include } regular-expression ]
Display the rekey information of
the GM.
display gdoi gm rekey [ verbose ] [ group group-name ] [ | { begin |
exclude | include } regular-expression ]
Display information about the
public keys received by the GM.
display gdoi gm pubkey [ group group-name ] [ | { begin | exclude |
include } regular-expression ]
Display IKE SA information.
display ike sa [ active | standby | verbose [ connection-id connection-id
| remote-address [ ipv6 ] remote-address ] ] [ | { begin | exclude |
include } regular-expression ]
Display IPsec SA information.
display ipsec sa [ active | brief | duration | policy policy-name
[ seq-number ] | remote [ ipv6 ] ip-address | standby ] [ | { begin |
exclude | include } regular-expression ]
Display GDOI IPsec policy
information.
display ipsec policy [ brief | name policy-name [ seq-number ] ] [ |
{ begin | exclude | include } regular-expression ]
Clear GDOI information for the
GM and initiate registration.
reset gdoi gm [ group group-name ]
For more information about the display ike sa, display ipsec sa, and display ipsec policy commands, see
Security Command Reference.
Group domain VPN configuration example
Network requirements
As shown in Figure 155, set up a group domain VPN on the network to protect traffic between subnets,
as follows:
Add GM 1, GM 2, and GM 3 to GDOI group 12345, and configure them to register with the KS
that manages the group.
Use the IPsec security protocol ESP, encryption algorithm AES-CBC 128, and authentication
algorithm SHA1 to protect the data.
Configure IPsec to protect traffic from subnet 10.1.1.0 to subnet 10.1.2.0, and traffic from subnet
10 .1.1. 0 t o s u b n e t 10 .1. 3 . 0 .
Use pre-shared key authentication for IKE negotiation between the KS and the GMs.
Configure the KS to multicast rekey messages to the GMs.
Configure KS 1 and KS 2 to back up each other. KS 1 and KS 2 use pre-shared key authentication
for IKE negotiation.