R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

481

482

483

484

485

486

487

488

489

490

469

• Group ID—Identifies the GDOI KS group in the Group Domain VPN. A KS uses the group ID

received from a GM to determine the GDOI KS group that the GM wants to join. Each group can

have only one group ID, which must be a group number or an IP address.

• Key pair—Used to generate local asymmetric key pairs carried in rekey messages. Each GDOI KS

group can reference only one key pair. The public key in the key pair is used as part of the KEK

assigned to GMs. A GM uses the public key to authenticate the KS.

• Rekey ACL—Specifies the source and destination addresses for multicast rekey messages. Each

GDOI KS group can reference only one rekey ACL.

• IPsec policy—Includes an IPsec profile for TEK protection and an ACL that identifies the traffic to be

protected.

Follow these guidelines when you configure basic settings for a GDOI KS group:

• A GDOI KS group can have only one group ID. A newly configured group ID overwrites the

previous one.

• Different GDOI KS groups must have different group IDs.

• The GDOI KSs that back up each other must reference the same key pair. As a result, you must make

sure the GDOI KSs locally have the same key pair. You can export the local key pair from one KS,

and import the key pair to the other KSs to ensure the key pair consistency. For information about

exporting and importing key pairs, see "Managing public keys."

• To protect unicast traffic, the ACL referenced by the IPsec policy must have rules in pairs. Each pair

of rules identifies a bidirectional traffic flow.

• To protect multicast traffic, the destination address specified in the rekey ACL must be different from

the destination address of any service traffic.

• The same rekey ACL must be specified for the GDOI KSs that back up each other. If different rekey

ACLs configured on the primary KS and secondary KSs, the GMs that have registered with the

secondary KSs cannot receive the multicast rekey messages from the primary KS.

• The ACL referenced by an IPsec policy can have lots of rules, but whether the rules can be assigned

to GMs depends on the size of the GDOI packet and the number of TEKs. For a GDOI KS group that

has only one IPsec policy, you can configure a maximum number of 200 rules for the referenced

ACL. For a GDOI KS group that has multiple IPsec policies, determine the maximum number of rules

(less than 200) according to the size of the GDOI packet and the number of TEKs.

• Configure the same IPsec policy within the GDOI KS group to which the GDOI KSs that back up

each other belong. In addition, the referenced ACL, the referenced IPsec profile , and the IPsec SA

lifetime configured must be the same.

NOTE:

hen a KS continually performs rekey operations, it

enerates lots of TEKs and mi

ht fail to assi

n all

TEKs and ACL rules.

To configure basic settings for a GDOI KS group:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Create a GDOI KS group

and enter GDOI KS group

view.

gdoi ks group group-name

By default, no GDOI KS group is

created.