R2511-HP MSR Router Series Security Configuration Guide(V5)

238

• Use IKEv2 to dynamically negotiate keys and establish and maintain IPsec SAs.

• Configure IKEv2 to use the encryption algorithm AES-CBC-192, integrity protection algorithm MD5,

PRF algorithm MD5, and 1024-bit DH group.

•

Set both the local and remote authentication methods to RSA digital certificate.

Figure 68 Network diagram

Configuration prerequisites

Make sure Router A and Router B can reach each other.

Make sure both Router A and Router B have the CA certificates for certificate signing and authentication

and have obtained a local certificate for IKEv2 negotiation.

Configuring the security gateway Router A

1. Configure PKI:

# Create PKI entity entity_a.

<RouterA> system-view

[RouterA] pki entity entity_a

[RouterA-pki-entity-entity_a] quit

# Configure PKI domain domain_a, the PKI domain used for certificate signing.

[RouterA] pki domain domain_a

[RouterA-pki-domain-domain_a] certificate request entity entity_a

[RouterA-pki-domain-domain_a] crl check disable

[RouterA-pki-domain-domain_a] quit

# Import the CA certificate for certificate signing in offline mode.

[RouterA] pki import-certificate ca domain domain_a der filename aaa_ca.crt

Is the finger print correct?(Y/N):y

# Import the local certificate in offline mode.

[RouterA] pki import-certificate local domain domain_a p12 filename sec001.docm.pfx

# Create PKI entity entity_b.

[RouterA] pki entity entity_b

[RouterA-pki-entity-entity_b] quit

# Configure PKI domain domain_b, the PKI domain used for certificate authentication.

[RouterA] pki domain domain_b

[RouterA-pki-domain-domain_b] certificate request entity entity_b

[RouterA-pki-domain-domain_b] crl check disable

[RouterA-pki-domain-domain_b] quit