Manualshelf

R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router
481482483484485486487488489490
468
Keepalive
The primary periodically sends hello messages to secondary KSs. If secondary KSs receive no hello
messages within a specific interval, they consider the primary KS has failed, and re-elect a new primary
KS. During the election, the secondary KSs do not accept registrations from GMs.
Protocols and standards
RFC 2408, Internet Security Association and Key Management Protocol (ISAKMP)
RFC 3547, The Group Domain of Interpretation(GDOI)
RFC 3740, The Multicast Group Security Architecture
RFC 5374, Multicast Extensions to the Security Architecture for the Internet Protocol
Configuration restrictions and guidelines
The IKE settings on the KSs and GMs must match. Otherwise, phase-1 IKE negotiation will fail.
The IKE settings on the primary and secondary KSs must match. Otherwise, phase-1 IKE negotiation will
fail.
Configuring the GDOI KS
Complete the following tasks before you configure the GDOI KS:
IKE configuration—Configure an IKE proposal and IKE peers for phase-1 IKE negotiation with GMs.
Each IKE peer is identified by the address of the GM's registration interface. If KS redundancy is
needed, you must configure an IKE proposal and IKE peers for phase-1 IKE negotiation with other
KSs. Each IKE peer is identified by the address of the KS. For more information about IKE, see
"Configuring IKE."
IPsec configuration—Configure an IPsec profile for TEK generation. For more information about
IPsec, see "Configuring IPsec."
ACL configuration—Configure an ACL to match the traffic protected by TEK and specify the source
and destination addresses for multicast rekey messages.
GDOI KS configuration task list
Task Remarks
Configuring basic settings for a GDOI KS group Required.
Configuring GDOI KS redundancy Optional.
Specifying the source address for packets sent by the KS Required.
Configuring rekey parameters Optional.
Configuring basic settings for a GDOI KS group
A device supports multiple GDOI KS groups. A GDOI KS group includes all settings required by a KS in
the group. The following describes basic GDOI KS group settings:
Group nameIdentifies the GDOI KS group on the device.