R211x-HP Flexfabric 11900 Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP FlexFabric 11000 Switch Products

141

142

143

144

145

146

147

148

149

150

137

Ste

Command

Remarks

8. Configure keys for the

IPsec SA.

• Configure an authentication

key in hexadecimal format for

AH:

sa hex-key authentication

{ inbound | outbound } ah

{ cipher | simple } key-value

• Configure an authentication

key in character format for AH:

sa string-key { inbound |

outbound } ah { cipher |

simple } key-value

• Configure a key in character

format for ESP:

sa string-key { inbound |

outbound } esp { cipher |

simple } key-value

• Configure an authentication

key in hexadecimal format for

ESP:

sa hex-key authentication

{ inbound | outbound } esp

{ cipher | simple } key-value

• Configure an encryption key in

hexadecimal format for ESP:

sa hex-key encryption

{ inbound | outbound } esp

{ cipher | simple } key-value

By default, no keys are configured for the

IPsec SA.

Configure keys correctly for the security

protocol (AH, ESP, or both) you have

specified in the IPsec transform set

referenced by the IPsec policy.

If you configure a key in both the

character and the hexadecimal formats,

only the most recent configuration takes

effect.

If you configure a key in character format

for ESP, the device automatically

generates an authentication key and an

encryption key for ESP.

Configuring an IKE-based IPsec policy

In an IKE-based IPsec policy, the parameters are automatically negotiated through IKE.

To configure an IKE-based IPsec policy, directly configure it by configuring the parameters in IPsec policy

view.

Configuration restrictions and guidelines

The IPsec configurations at the two ends of an IPsec tunnel must meet the following requirements:

• The IPsec policies at the two tunnel ends must have IPsec transform sets that use the same security

protocols, security algorithms, and encapsulation mode.

• The IPsec policies at the two tunnel ends must have the same IKE profile parameters.

• An IKE-based IPsec policy can reference up to six IPsec transform sets. During an IKE negotiation,

IKE searches for a fully matched IPsec transform set at the two ends of the IPsec tunnel. If no match

is found, no SA can be set up, and the packets expecting to be protected will be dropped.

• The remote IP address of the IPsec tunnel is required on an IKE negotiation initiator and is optional

on the responder. The remote IP address specified on the local end must be the same as the local

IP address specified on the remote end.

For an IPsec SA established through IKE negotiation:

• The IPsec SA uses the local lifetime settings or those proposed by the peer, whichever are smaller.