Manualshelf

R211x-HP Flexfabric 11900 Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP FlexFabric 11000 Switch Products
161162163164165166167168169170
154
Ste
p
Command
Remarks
3. Configure a peer ID.
match remote { certificate policy-name
| identity { address { { ipv4-address
[ mask | mask-length ] | range
low-ipv4-address high-ipv4-address } |
ipv6 { ipv6-address [ prefix-length ] |
range low-ipv6-address
high-ipv6-address } } [ vpn-instance
vpn-name ] | fqdn fqdn-name |
user-fqdn user-fqdn-name } }
By default, an IKE profile has no
peer ID.
Each of the two peers must have
at least one peer ID configured.
4. Specify the keychain for
pre-shared key
authentication.
keychain keychain-name
By default, no IKE keychain is
specified for an IKE profile.
5. Specify the IKE negotiation
mode for phase 1.
In non-FIPS mode:
exchange-mode { aggressive |
main }
In FIPS mode:
exchange-mode main
By default, the main mode is
used during IKE negotiation
phase 1.
6. Specify the IKE proposals for
the IKE profile to reference.
proposal proposal-number&<1-6>
By default, an IKE profile
references no IKE proposals
and uses the IKE proposals
configured in system view for
IKE negotiation.
7. Configure the local ID.
local-identity { address { ipv4-address
| ipv6 ipv6-address } | dn | fqdn
[ fqdn-name ] | user-fqdn
[ user-fqdn-name ] }
By default, no local ID is
configured for an IKE profile,
and an IKE profile uses the local
ID configured in system view. If
the local ID is not configured in
system view, the IKE profile uses
the IP address of the interface to
which the IPsec policy is
applied as the local ID.
8. (Optional.) Configure IKE
DPD.
dpd interval interval-seconds [ retry
seconds ] { on-demand | periodic }
By default, the IKE DPD function
is not configured for an IKE
profile and an IKE profile uses
the DPD settings configured in
system view. If the IKE DPD
function is not configured in
system either, the device does
not perform dead IKE peer
detection.
9. (Optional.) Specify the local
interface or IP address to
which the IKE profile can be
applied.
match local address { interface-type
interface-number | { ipv4-address |
ipv6 ipv6-address } [ vpn-instance
vpn-name ] }
By default, an IKE profile can be
applied to any local interface or
IP address.