R211x-HP Flexfabric 11900 Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP FlexFabric 11000 Switch Products

Destroying a local key pair ········································································································································· 120

Configuring a peer public key ···································································································································· 121

Importing a peer host public key from a public key file ·················································································· 121

Entering a peer public key ································································································································· 121

Displaying and maintaining public keys ··················································································································· 122

Examples of public key management ························································································································ 122

Example for entering a peer public key ············································································································ 122

Example for importing a public key from a public key file ············································································· 124

Configuring IPsec ···················································································································································· 127

Overview ······································································································································································· 127

Security protocols and encapsulation modes ··································································································· 128

Security association ············································································································································· 129

Authentication and encryption ··························································································································· 130

IPsec implementation ··········································································································································· 130

Protocols and standards ····································································································································· 131

FIPS compliance ··························································································································································· 131

IPsec tunnel establishment ··········································································································································· 131

Implementing ACL-based IPsec ··································································································································· 132

Feature restrictions and guidelines ···················································································································· 132

ACL-based IPsec configuration task list ············································································································· 132

Configuring an ACL ············································································································································ 133

Configuring an IPsec transform set ···················································································································· 133

Configuring a manual IPsec policy···················································································································· 135

Configuring an IKE-based IPsec policy ············································································································· 137

Applying an IPsec policy to an interface ·········································································································· 139

Enabling ACL checking for de-encapsulated packets ······················································································ 140

Configuring the IPsec anti-replay function ········································································································ 140

Binding a source interface to an IPsec policy ·································································································· 141

Enabling QoS pre-classify ·································································································································· 141

Enabling logging of IPsec packets ····················································································································· 142

Configuring the DF bit of IPsec packets ············································································································ 142

Configuring SNMP notifications for IPsec ················································································································· 143

Displaying and maintaining IPsec ······························································································································ 143

IPsec configuration examples······································································································································ 144

Configuring a manual mode IPsec tunnel for IPv4 packets ············································································ 144

Configuring an IKE-based IPsec tunnel for IPv4 packets ················································································· 147

Configuring IKE ······················································································································································· 150

IKE negotiation process ······································································································································ 150

IKE security mechanism ······································································································································· 151

IKE configuration prerequisites ··································································································································· 152

IKE configuration task list ············································································································································ 152

Configuring an IKE profile ·········································································································································· 153

Configuring an IKE proposal ······································································································································ 155

Configuring an IKE keychain ······································································································································ 156

Configuring the global identity information ·············································································································· 157

Configuring the IKE keepalive function ······················································································································ 157

Configuring the IKE NAT keepalive function ············································································································ 158

Configuring IKE DPD···················································································································································· 158

Enabling invalid SPI recovery ····································································································································· 159

Setting the maximum number of IKE SAs ··················································································································· 159