R2511-HP MSR Router Series Security Configuration Guide(V5)
206
Hardware FIPS mode
MSR1000 Yes.
IKE configuration task list
Determine the following parameters prior to IKE configuration:
• The strength of the algorithms for IKE negotiation (the security protection level), including the
identity authentication method, encryption algorithm, authentication algorithm, and DH group.
Different algorithms provide different levels of protection. A stronger algorithm means more
resistance to decryption of protected data but requires more resources. Generally, the longer the key,
the stronger the algorithm.
• The pre-shared key or the PKI domain the certificate belongs to. For more information about PKI
configuration, see "Configuring PKI."
To configure IKE:
Task Remarks
Configuring a name for the local security gateway Optional.
Configuring an IKE proposal
Optional.
Required if you want to specify an IKE proposal for
an IKE peer to reference.
Configuring an IKE peer Required.
Setting keepalive timers Optional.
Setting the NAT keepalive timer Optional.
Configuring a DPD detector Optional.
Disabling next payload field checking Optional.
Configuring a name for the local security gateway
If the IKE negotiation peer uses the security gateway name as its ID to initiate IKE negotiation (the id-type
name or id-type user-fqdn command is configured on the initiator), configure the ike local-name
command in system view or the local-name command in IKE peer view on the local device. If you
configure both commands, the name configured by in IKE peer view is used.
To configure a name for the local security gateway:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Configure a name for the
local security gateway.
ike local-name name
Optional.
By default, the device name is used as the
name of the local security gateway.