R21xx-HP FlexFabric 11900 Security Configuration Guide
v
Applying an IPsec policy to an interface ·········································································································· 165
Enabling ACL checking for de-encapsulated packets ······················································································ 165
Configuring the IPsec anti-replay function ········································································································ 166
Binding a source interface to an IPsec policy ·································································································· 166
Enabling QoS pre-classify ·································································································································· 167
Enabling logging of IPsec packets ····················································································································· 167
Configuring the DF bit of IPsec packets ············································································································ 168
Displaying and maintaining IPsec ······························································································································ 169
IPsec configuration examples······································································································································ 169
Configuring a manual mode IPsec tunnel for IPv4 packets ············································································ 169
Configuring an IKE-based IPsec tunnel for IPv4 packets ················································································· 172
Configuring IKE ······················································································································································· 176
Overview ······································································································································································· 176
IKE negotiation process ······································································································································ 176
IKE security mechanism ······································································································································· 177
Protocols and standards ····································································································································· 178
IKE configuration prerequisites ··································································································································· 178
FIPS compliance ··························································································································································· 178
IKE configuration task list ············································································································································ 178
Configuring an IKE profile ·········································································································································· 179
Configuring an IKE proposal ······································································································································ 181
Configuring an IKE keychain ······································································································································ 182
Configuring the global identity information ·············································································································· 183
Configuring the IKE keepalive function ······················································································································ 184
Configuring the IKE NAT keepalive function ············································································································ 184
Configuring IKE DPD···················································································································································· 185
Enabling invalid SPI recovery ····································································································································· 185
Setting the limit on the number of IKE SAs ················································································································ 186
Displaying and maintaining IKE ································································································································· 186
Main mode IKE with pre-shared key authentication configuration example ························································· 187
Network requirements ········································································································································· 187
Configuration procedure ···································································································································· 187
Verifying the configuration ································································································································· 189
Support and other resources ·································································································································· 190
Contacting HP ······························································································································································ 190
Subscription service ············································································································································ 190
Related information ······················································································································································ 190
Documents ···························································································································································· 190
Websites ······························································································································································· 190
Conventions ·································································································································································· 191
Index ········································································································································································ 193