R211x-HP Flexfabric 11900 Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP FlexFabric 11000 Switch Products

161

162

163

164

165

166

167

168

169

170

157

Ste

Command

Remarks

3. Configure a pre-shared key.

pre-shared-key { address

{ ipv4-address [ mask | mask-length ] |

ipv6 ipv6-address [ prefix-length ] } |

hostname host-name } key { cipher

cipher-key | simple simple-key }

By default, no pre-shared key is

configured.

For security purposes, all

pre-shared keys, including those

configured in plain text, are

saved in cipher text to the

configuration file.

4. (Optional.) Specify a local

interface or IP address to

which the IKE keychain can

be applied.

match local address { interface-type

interface-number | { ipv4-address |

ipv6 ipv6-address } [ vpn-instance

vpn-name ] }

By default, an IKE keychain can

be applied to any local interface

or IP address.

5. (Optional.) Specify a

priority for the IKE keychain.

priority number The default priority is 100.

Configuring the global identity information

Follow these guidelines when you configure the global identity information for the local IKE:

• The global identity can be used by the device for all IKE SA negotiations, and the local identity (set

by the local-identity command) can be used only by the device that uses the IKE profile.

• When pre-shared key authentication is used, you cannot set the DN as the identity.

To configure the global identity information:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Configure the global

identity to be used by the

local end.

ike identity { address { ipv4-address |

ipv6 ipv6-address } | dn | fqdn

[ fqdn-name ] | user-fqdn

[ user-fqdn-name ] }

By default, the IP address of the

interface to which the IPsec policy

is applied is used as the IKE

identity.

Configuring the IKE keepalive function

IKE sends keepalive packets to query the liveness of the peer. If the peer is configured with the keepalive

timeout time, you must configure the keepalive interval on the local device. If the peer receives no

keepalive packets during the timeout time, the IKE SA is deleted along with the IPsec SAs it negotiated.

Follow these guidelines when you configure the IKE keepalive function:

• Configure IKE DPD instead of the IKE keepalive function unless IKE DPD is not supported on the peer.

The IKE keepalive function sends keepalives at regular intervals, which consumes network

bandwidth and resources.

• The keepalive timeout time configured on the local device must be longer than the keepalive interval

configured at the peer. Since it seldom occurs that more than three consecutive packets are lost on

a network, you can set the keepalive timeout three times as long as the keepalive interval.

To configure the IKE keepalive function: