R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101
162
[FirewallA] public-key local create rsa
# Request a certificate.
[FirewallA] pki retrieval-certificate ca domain 1
[FirewallA] pki retrieval-crl domain 1
[FirewallA] pki request-certificate domain 1
# Configure IKE proposal 1, using RSA signature for identity authentication.
[FirewallA] ike proposal 1
[FirewallA-ike-proposal-1] authentication-method rsa-signature
[FirewallA-ike-proposal-1] quit
# Specify the PKI domain for the IKE peer.
[FirewallA] ike peer peer
[FirewallA-ike-peer-peer] certificate domain 1
b. Configure Firewall B
# Configure the entity DN.
<FirewallB> system-view
[FirewallB] pki entity en
[FirewallB-pki-entity-en] ip 3.3.3.1
[FirewallB-pki-entity-en] common-name Firewallb
[FirewallB-pki-entity-en] quit
# Configure the PKI domain. The URL of the registration server varies with the CA server.
[FirewallB] pki domain 1
[FirewallB-pki-domain-1] ca identifier CA2
[FirewallB-pki-domain-1] certificate request url
http://2.1.1.100/certsrv/mscep/mscep.dll
[FirewallB-pki-domain-1] certificate request entity en
[FirewallB-pki-domain-1] ldap-server ip 2.1.1.102
# Set the registration authority to RA.
[FirewallB-pki-domain-1] certificate request from ra
# Configure the CRL distribution URL. This is not necessary if CRL checking is disabled.
[FirewallB-pki-domain-1] crl url ldap://2.1.1.102
[FirewallB-pki-domain-1] quit
# Create a local key pair using RSA.
[FirewallB] public-key local create rsa
# Request a certificate.
[FirewallB] pki retrieval-certificate ca domain 1
[FirewallB] pki retrieval-crl domain 1
[FirewallB] pki request-certificate domain 1
# Configure IKE proposal 1, using RSA signature for identity authentication.
[FirewallB] ike proposal 1
[FirewallB-ike-proposal-1] authentication-method rsa-signature
[FirewallB-ike-proposal-1] quit
# Specify the PKI domain for the IKE peer.
[FirewallB] ike peer peer
[FirewallB-ike-peer-peer] certificate domain 1