Manualshelf

R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
141142143144145146147148149150
133
Specify the ID type for the local end to use in IKE negotiation phase 1. With pre-shared key
authentication, the ID type must be IP address for main mode IKE negotiation and can be IP address,
FQDN, or user FQDN for aggressive mode IKE negotiation.
Specify the name or IP address of the local security gateway. You perform this task only when you
want to specify a special address, a loopback interface address, for example, as the local security
gateway address.
Specify the name or IP address of the remote security gateway. For the local end to initiate IKE
negotiation, you must specify the name or IP address of the remote security gateway on the local
end so the local end can find the remote end.
Enable NAT traversal. If there is NAT gateway on the path for tunneling, you must configure NAT
traversal at the two ends of the IPsec tunnel, because one end may use a public address while the
other end uses a private address.
Specify the dead peer detection (DPD) detector for the IKE peer.
To configure an IKE peer:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Create an IKE peer
and enter IKE peer
view.
ike peer peer-name N/A
3. Specify the IKE
negotiation mode for
phase 1.
exchange-mode { aggressive |
main }
Optional.
The default IKE negotiation mode for phase 1
is main.
The aggressive keyword is not available for
the FIPS mode.
4. Specify the IKE
proposals for the IKE
peer to reference.
proposal
proposal-number&<1-6>
Optional.
By default, an IKE peer references no IKE
proposals, and, when initiating IKE
negotiation, it uses the IKE proposals
configured in system view.
5. Configure the
pre-shared key or PKI
domain.
Configure the pre-shared key
for pre-shared key
authentication:
pre-shared-key [ cipher |
simple ] key
Configure the PKI domain for
digital signature
authentication:
certificate domain
domain-name
Configure either command according to the
authentication method for the IKE proposal.
In FIPS mode, the shared key must be a
ciphertext string of at least 8 characters that
must contain uppercase letters, lowercase
letters, digits, and special characters.
6. Select the ID type for
IKE negotiation
phase 1.
id-type { ip | name | user-fqdn }
Optional.
The ID type for IKE negotiation phase 1 is ip.