R2511-HP MSR Router Series Security Configuration Guide(V5)
209
Ste
p
Command
Remarks
3. Specify the IKE negotiation
mode for phase 1.
exchange-mode { aggressive | main }
Optional.
The default is main.
In FIPS mode, the aggressive
mode is not supported.
4. Specify the IKE proposals for
the IKE peer to reference.
proposal proposal-number&<1-6>
Optional.
By default, an IKE peer references
no IKE proposals, and, when
initiating IKE negotiation, it uses
the IKE proposals configured in
system view.
If the IKE negotiation mode in
phase 1 is aggressive, only the
first IKE proposal specified for the
IKE peer takes effect.
5. Configure a pre-shared key
for pre-shared key
authentication or specify a
PKI domain for digital
signature authentication.
• To configure a pre-shared key:
pre-shared-key [ cipher | simple ]
key
• To specify a PKI domain:
certificate domain domain-name
Configure either command
according to the authentication
method for the IKE proposal.
In FIPS mode, the key must
contain at least eight characters
comprising digits, uppercase and
lowercase letters, and special
characters.
6. Select the ID type for IKE
negotiation phase 1.
id-type { ip | name | user-fqdn }
Optional.
By default, the ID type is IP.
7. Configure a name for the
local security gateway.
local-name name
Optional.
By default, no name is configured
for the local security gateway in
IKE peer view, and the security
gateway name configured by
using the ike local-name
command is used.
8. Specify the name of the
remote security gateway.
remote-name name
Optional.
The remote gateway name
configured with remote-name
command on the local gateway
must be identical to the local
name configured with the
local-name command on the
peer.
9. Configure an IP address for
the local gateway.
local-address ip-address
Optional.
By default, it is the primary IP
address of the interface
referencing the security policy.