R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

481

482

483

484

485

486

487

488

489

490

473

Task Command

Display GDOI KS group information. display gdoi ks [ group group-name ]

Display GDOI KS group ACL information. display gdoi ks acl [ group group-name ]

Display GDOI KS redundancy information. display gdoi ks redundancy [ group group-name ]

Display information about online GDOI KS

group members.

display gdoi ks members [ group group-name ] [ ip

ip-address ]

Display GDOI KS group rekey information. display gdoi ks rekey [ group group-name ]

Display GDOI KS group policy information. display gdoi ks policy [ group group-name ]

Clear GDOI KS group information. reset gdoi ks [ group group-name ]

Reset GDOI KS redundancy roles. reset gdoi ks redundancy role [ group group-name ]

Clear GDOI KS group member information. reset gdoi ks members [ group group-name ]

Enforce rekey. gdoi ks rekey [ group group-name ]

Configuring the GDOI GM

The GDOI GM needs IKE settings that include an IKE proposal and an IKE peer used for phase-1 IKE

negotiation. The IKE peer is identified by the IP address of the KS. For information about IKE

configuration, see "Configuring IKE."

GDOI GM configuration task list

Task Remarks

Configuring a GDOI GM group Required.

Configuring a GDOI IPsec policy Required.

Applying a GDOI IPsec policy to an interface Required.

Configuring a GDOI GM group

You can configure multiple GDOI GM groups on a GM. Different GDOI GM groups must have different

KS addresses and group IDs.

A GDOI GM group includes the following information that the GM uses to register with a KS:

• Group name—Identifies the GDOI GM group on the GM, used for local management and

reference.

• Group ID—Identifies the GDOI GM group in the group domain VPN. The KS uses the group ID to

identify the GDOI GM group that the requesting GM wants to join. A GDOI GM group can have

only one group ID that is a group number or an IP address.

• KS address—Identifies the IP address of a KS with which the GM registers. A GDOI GM group can

have up to eight KS addresses. The GM first sends a registration request to the first-specified KS. If

the registration does not succeed before the register timer expires, the GM registers with other KSs

one by one in the order they are configured until the registration succeeds. If all registration

attempts fail, the GM repeats the registration process.