R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

481

482

483

484

485

486

487

488

489

490

474

• Registration interface—The GM uses the registration interface to send registration packets to the KS.

By default, the registration interface of a GM is the output interface of the route from the GM to the

KS.

Follow these guidelines when you configure a GDOI GM group:

• A GDOI GM group can have only one group ID. A newly configured group ID overwrites the

previous one.

• Different GDOI GM groups must have different group IDs and KS addresses.

• A GDOI GM group must have the same group ID as the KS with which the GM group registers.

To configure a GDOI GM group:

Ste

Command

Remarks

1. Enter system view.

system-view

N/A

2. Create a GDOI GM group

and enter GDOI GM

group view.

gdoi gm group group-name

By default, no GDOI GM group

exists.

3. Configure a GDOI GM

group ID.

identity { address ip-address | number

number }

By default, no GDOI GM group

ID is specified.

Specify an IP address or a

number as the group ID.

4. Configure a KS address.

server address ip-address

By default, no KS address is

specified.

5. Configure a registration

interface.

client registration interface

interface-type interface-number

Optional.

By default, the registration

interface is the output interface

of the route from the GM to the

KS.

Configuring a GDOI IPsec policy

A GDOI IPsec policy can comprise multiple entries. The GDOI IPsec policy is identified by a name and

each entry is identified by a sequence number. A smaller sequence number represents a higher priority.

Perform this task to configure a GDOI IPsec policy and reference a GDOI GM group and a local ACL for

each entry. The GDOI GM group gives the KS addresses and group ID used by the GM for registration.

The ACL is used to filter packets. Packets matching a permit rule of the local ACL are discarded. Packet

matching a deny rule are forwarded in plain text.

After the GM successfully registers with a KS, the KS assigns a security policy that contains an ACL. The

GM uses this assigned ACL to determine packet encryption. Packets matching a permit rule of the

downloaded ACL are encrypted. Packets matching a deny rule are forwarded in plain text. Packets that

do not match any rule are forwarded in plain text.

The GM first uses the local ACL to match packets and then uses the downloaded ACL to match packets

that do not match the local ACL. Packets that fail to match the local and downloaded ACLs are forwarded

in plain text.

IPsec packets whose destination address is the local device do not match against the local ACL in the

GDOI IPsec policy. They only match against the downloaded ACL.

A GDOI IPsec policy does not apply to GDOI protocol packets or non-first fragments.