R21xx-HP FlexFabric 11900 Security Command Reference

ManualsBrandsHP ManualsNetwork HardwareHP FlexFabric 11000 Switch Products

221

222

223

224

225

226

227

228

229

230

221

A manual IPsec policy does not support DNS. Therefore, you must specify a remote IP address rather than

a remote host name for the manual IPsec policy.

If you configure a remote host name, the following scenarios apply:

• If the host name is resolved by the DNS server, the local end sends a request to the DNS server to

obtain the latest IP address corresponding to the host name when the domain name resolution

period expires. The resolution period is defined by the DNS server and restarts after the local end

obtains the latest IP address of the host.

• If the host name is resolved by the ip host command and you change the IP address of the remote

host, you must reconfigure the remote host name in the IPsec policy or IPsec policy template by using

the remote-address command. Otherwise, the local end cannot obtain the latest IP address of the

remote host.

For example, the local end has a static domain name resolution entry, which maps the host name test to

the IP address 1.1.1.1. Configure the following commands:

# Configure the remote host name to test for the IPsec tunnel in the IPsec policy policy1.

[Sysname] ipsec policy policy1 1 isakmp

[Sysname-ipsec-policy-isakmp-policy1-1] remote-address test

# Change the IP address for the host test to 2.2.2.2.

[Sysname] ip host test 2.2.2.2

In this case, you must reconfigure the remote host name for the IPsec policy policy1 so that the local end

can obtain the latest IP address of the remote host.

# Reconfigure the remote host name to test for the IPsec tunnel in the IPsec policy policy1.

[Sysname] ipsec policy policy1 1 isakmp

[Sysname -ipsec-policy-isakmp-policy1-1] remote-address test

Examples

# Specify the remote IP address 10.1.1.2 for the IPsec tunnel.

<Sysname> system-view

[Sysname] ipsec policy policy1 10 manual

[Sysname-ipsec-policy-policy1-10] remote-address 10.1.1.2

Related commands

• ip host (see Layer 3—IP Services Commands Reference)

• local-address

reset ipsec sa

Use reset ipsec sa to clear IPsec SAs.

Syntax

reset ipsec sa [ { ipv6-policy | policy } policy-name [ seq-number ] | profile policy-name | remote

{ ipv4-address | ipv6 ipv6-address } | spi { ipv4-address | ipv6 ipv6-address } { ah | esp } spi-num ]

Views

User view

Predefined user roles

network-admin