R21xx-HP FlexFabric 11900 Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP FlexFabric 11000 Switch Products

181

182

183

184

185

186

187

188

189

190

182

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Create an IKE proposal and

enter its view.

ike proposal proposal-number

By default, there is an IKE

proposal that is used as the

default IKE proposal.

3. Specify an encryption

algorithm for the IKE

proposal.

encryption-algorithm { 3des-cbc |

aes-cbc-128 | aes-cbc-192 |

aes-cbc-256 | des-cbc }

By default, an IKE proposal uses

the 56-bit DES encryption

algorithm in CBC mode in

non-FIPS mode and 128-bit AES

encryption algorithm in FIPS

mode.

4. Specify an authentication

method for the IKE proposal.

authentication-method { dsa-signature

| pre-share | rsa-signature }

By default, an IKE proposal uses

the pre-shared key authentication

method.

5. Specify an authentication

algorithm for the IKE

proposal.

• In non-FIPS mode:

authentication-algorithm { md5 |

sha }

• In FIPS mode:

authentication-algorithm sha

By default, an IKE proposal uses

the HMAC-SHA1 authentication

algorithm.

6. Specify a DH group for key

negotiation in phase 1.

dh { group1 | group14 | group2 |

group24 | group5 }

By default, group1 (the 768-bit

DH group) is used.

This command is only applicable

to non-FIPS mode. In FIPS mode,

the DH group used in key

negotiation phase 1 for an IKE

proposal is fixed to group14 (the

2048-bit Diffie-Hellman group).

7. Set the IKE SA lifetime for

the IKE proposal.

sa duration seconds

By default, the IKE SA lifetime is

86400 seconds.

Configuring an IKE keychain

Perform this task when you configure the IKE to use the pre-shared key for authentication.

Follow these guidelines when you configure an IKE keychain:

1. Two peers must be configured with the same pre-shared key to pass pre-shared key authentication.

2. You can specify the local address configured in IPsec policy or IPsec policy template view (using

the local-address command) for the IKE keychain to be applied. If no local address is configured,

specify the IP address of the interface referencing the IPsec policy.

3. You can specify a priority number for the IKE keychain. To determine the priority of an IKE

keychain:

a. The device examines the existence of the match local address command. An IKE keychain with

the match local address command configured has a higher priority.

b. If a tie exists, the device compares the priority numbers. An IKE keychain with a smaller priority

number has a higher priority.

c. If a tie still exists, the device prefers an IKE keychain configured earlier.