Manualshelf

R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router
221222223224225226227228229230
212
Ste
p
Command
Remarks
4. Set the DPD packet
retransmission interval.
time-out time-out
Optional.
5 seconds by default.
Disabling next payload field checking
The Next payload field is in the generic payload header of the last payload of the IKE negotiation
message (the message comprises multiple payloads). According to the protocol, this field must be 0 if the
payload is the last payload of the packet. However, it might be set to other values on some brands of
devices. For interoperability, disable the checking of this field.
To disable Next payload field checking:
Ste
p
Command
Remar
k
1. Enter system view.
system-view N/A
2. Disable Next payload field
checking.
ike next-payload check disabled Enabled by default.
Displaying and maintaining IKE
Task Command
Remarks
Display IKE DPD information.
display ike dpd [ dpd-name ] [ | { begin |
exclude | include } regular-expression ]
Available in any view.
Display IKE peer information.
display ike peer [ peer-name ] [ | { begin |
exclude | include } regular-expression ]
Available in any view.
Display IKE SA information.
display ike sa [ verbose [ connection-id
connection-id | remote-address
remote-address ] ] [ | { begin | exclude |
include } regular-expression ]
Available in any view.
Display IKE proposal information.
display ike proposal [ | { begin | exclude |
include } regular-expression ]
Available in any view.
Clear SAs established by IKE. reset ike sa [ connection-id ]
Available in user
view.
IKE configuration examples
Configuring main mode IKE with pre-shared key authentication
Network requirements
As shown in Figure 64, configure an IPsec tunnel that uses IKE negotiation between Router A and Router
B to secure the communication between subnet 10.1.1.0/24 and subnet 10.1.2.0/24.
For Router A, configure an IKE proposal that uses the sequence number 10 and the authentication
algorithm MD5. Leave Router B with only the default IKE proposal. Configure the two routers to use the
pre-shared key authentication method.