Manualshelf

R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router
241242243244245246247248249250
227
Ste
p
Command
Remarks
3. Specify the encryption
algorithms.
encryption { 3des-cbc | aes-cbc-128 |
aes-cbc-192 | aes-cbc-256 |
aes-ctr-128 | aes-ctr-192 |
aes-ctr-256 | camellia-cbc-128 |
camellia-cbc-192 | camellia-cbc-256
| des-cbc } *
By default, an IKEv2 proposal
has no encryption algorithm.
4. Specify the integrity
protection algorithms.
integrity { aes-xcbc-mac | md5 | sha1
| sha2-256 } *
By default, an IKEv2 proposal
has no integrity protection
algorithm.
5. Specify the PRF algorithms.
prf { aes-xcbc-mac | md5 | sha1 |
sha2-256 } *
By default, an IKEv2 proposal
has no PRF algorithm.
6. Specify the DH groups.
group { 1 | 2 | 5 | 14 } *
By default, an IKEv2 proposal
has no DH group.
Configuring an IKEv2 policy
During the IKE_SA_INIT exchange, each end tries to find a matching IKEv2 policy, using the IP address
of the local security gateway as the matching criterion:
If there are IKEv2 policies configured, IKEv2 searches for an IKEv2 policy that uses the IP address
of the local security gateway. If no IKEv2 policy uses the IP address or the policy is using an
incomplete proposal, the IKE_SA_INIT exchange fails.
If no IKEv2 policy is configured, IKEv2 uses the system predefined IKEv2 policy default.
You can configure multiple IKEv2 policies. A policy configured earlier has a higher priority.
To configure an IKEv2 policy:
Ste
p
Command
Remarks
1. Enter system view.
system-view
N/A
2. Create an IKEv2 policy and
enter IKEv2 policy view.
ikev2 policy policy-name
By default, the device has a system
predefined IKEv2 policy named
default. This policy uses the default
IKEv2 proposal and matches any
local address.
3. Specify the IKEv2 proposals.
proposal proposal-name&<1-6>
By default, a non-system
predefined IKEv2 policy references
no IKEv2 proposal.
A proposal specified earlier has a
higher priority.
4. Specify the local address used
for IKEv2 policy matching.
match address local { ipv4-address
| ipv6 ipv6-address }
Optional.
By default, no local address is used
for IKEv2 policy matching, and the
policy matches any local address.
An IKEv2 policy might have
multiple local IP addresses for
policy matching.