R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis

231

232

233

234

235

236

237

238

239

240

227

[DeviceB] interface gigabitethernet 2/1/1

[DeviceB-GigabitEthernet2/1/1] ipv6 address 2001::9/64

[DeviceB-GigabitEthernet2/1/1] natpt enable

[DeviceB-GigabitEthernet12/1/1] quit

# Assign an IPv4 address to interface GigabitEthernet 2/1/2, and enable NAT-PT for the

interface.

[DeviceB] interface gigabitethernet 2/1/2

[DeviceB-GigabitEthernet2/1/2] ip address 192.168.1.1 255.255.255.0

[DeviceB-GigabitEthernet2/1/2] natpt enable

[DeviceB-GigabitEthernet2/1/2] quit

# Specify the NAT-PT prefix.

[DeviceB] natpt prefix 3001::

# Configure the static mapping at the IPv4 network side.

[DeviceB] natpt v4bound static 192.168.1.2 3001::5

# Configure the static mapping at the IPv6 network side.

[DeviceB] natpt v6bound static 2001::5 192.16.18.111

Configuring Device A

1. Configure the static route to the subnet corresponding to the NAT-PT prefix.

<DeviceA> system-view

[DeviceA] ipv6 route-static 3001:: 16 2001::9

2. Create an entity named aaa with the common name as test.

[DeviceA] pki entity aaa

[DeviceA-pki-entity-aaa] common-name test

[DeviceA-pki-entity-aaa] quit

3. Configure a PKI domain:

# Create a PKI domain named torsa and enter its view.

[DeviceA] pki domain torsa

# Specify the name of the trusted CA as myca.

[DeviceA-pki-domain-torsa] ca identifier myca

# Configure the URL of the registration server in the form of http://host:port/Issuing Jurisdiction ID,

where Issuing Jurisdiction ID is a hexadecimal string generated on the CA server.

[DeviceA-pki-domain-torsa] certificate request url

http://[3001::5]:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337

# Specify the CA to accept certificate requests.

[DeviceA-pki-domain-torsa] certificate request from ca

# Specify the PKI entity name as aaa.

[DeviceA-pki-domain-torsa] certificate request entity aaa

# Specify the URL of the CRL repository. In this example, the URL in HTTP format is not allowed

because the RSA Keon CA server cannot process IPv6 data in HTTP packets, although IPv6 packets

from Device A can be converted to IPv4 packets by Device B. If an OpenCA server acts as the CA

server, you can specify a URL in HTTP format. This limitation depends on the types of your CA

server.

[DeviceA-pki-domain-torsa] crl url

ldap://[3001::5]:389/CN=sslrsa,OU=sec,O=docm,C=cn

# Specify the RSA key pair with the purpose general, the name abc, and the length 1024 bits.