R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

241

242

243

244

245

246

247

248

249

250

228

Configuring an IKEv2 keyring

An IKEv2 keyring specifies the pre-shared keys used for IKEv2 negotiation. An IKEv2 keyring might have

multiple peers. Each peer has a symmetric or asymmetric pre-shared key, and an argument for identifying

the peer (such as the peer's host name, IP address or address range, or ID). An IKEv2 negotiation

initiator uses the peer host name or IP addresses/address range as the matching criterion to search for

a peer. A responder uses the peer host IP address, address range, or ID as the matching criterion to

search for a peer.

To configure an IKEv2 keyring:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Create an IKEv2 keyring and

enter IKEv2 keyring view.

ikev2 keyring keyring-name By default, no IKEv2 keyring exists.

3. Create an IKEv2 peer and

enter IKEv2 peer view.

peer peer-name By default, no IKEv2 peer exists.

4. Configure a host name, host

IP address, address range, or

identity information for the

IKEv2 peer.

• To configure a host name for the

peer:

hostname host-name

• To configure a host IP address

or address range for the peer:

address { ipv4-address

[ mask-length ] | ipv6

ipv6-address [ prefix-length ] }

• To configure identity

information for the peer:

identity { address

{ ipv4-address | ipv6

ipv6-address} | email

email-string | fqdn fqdn-name |

key-id key-id }

Configure one of them.

By default, an IKEv2 peer has no

hostname, host IP address, address

range or identity information.

For the device to work as an

initiator, you must configure the

peer's host name, host IP address,

or address range. For the device to

work as an responder, you must

configure the peer's host IP

address, address range, or ID.

You must configure different

identity information for different

peers.

5. Configure a pre-shared key

for the peer.

pre-shared-key [ local | remote ]

[ cipher | simple ] key

By default, an IKEv2 peer has no

pre-shared key.

Configuring an IKEv2 profile

An IKEv2 profile provides the IKEv2 SA parameters that are not negotiated during IKEv2 negotiation,

such as the identity information of the two peers, the authentication method, the matching criterion used

to search for an IKEv2 profile, DPD parameters, and IKEv2 SA lifetime.

An IKEv2 profile is used by an IPsec policy or IPsec profile. You must configure an IKEv2 profile on both

the IKEv2 negotiation initiator and responder.

To configure an IKEv2 profile:

Ste

Command

Remarks

1. Enter system view.

system-view N/A