R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis

301

302

303

304

305

306

307

308

309

310

291

7. Specify a local interface or IP address for the IKE profile so the profile can be applied only to the

specified interface or IP address. For this task, specify the local address configured in IPsec policy

or IPsec policy template view (using the local-address command). If no local address is configured,

specify the IP address of the interface that references the IPsec policy.

8. Specify an inside VPN instance. This setting determines where the device should forward received

IPsec protected data. If you specify an inside VPN instance, the device looks for a route in the

specified VPN to forward the data. Otherwise, the device looks for a route in the same VPN

instance as that on the external network and forwards the data to the VPN instance.

9. Specify a priority number for the IKE profile. To determine the priority of an IKE profile:

a. First, the device examines the existence of the match local address command. An IKE profile

with the match local address command configured has a higher priority.

b. If a tie exists, the device compares the priority numbers. An IKE profile with a smaller priority

number has a higher priority.

c. If a tie still exists, the device prefers an IKE profile configured earlier.

To configure an IKE profile:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Create an IKE profile and

enter its view.

ike profile profile-name

By default, no IKE profile is

configured.

3. Configure a peer ID.

match remote { certificate policy-name

| identity { address { { ipv4-address

[ mask | mask-length ] | range

low-ipv4-address high-ipv4-address } |

ipv6 { ipv6-address [ prefix-length ] |

range low-ipv6-address

high-ipv6-address } } [ vpn-instance

vpn-name ] | fqdn fqdn-name |

user-fqdn user-fqdn-name } }

By default, an IKE profile has no

peer ID.

Each of the two peers must have

at least one peer ID configured.

4. Specify the keychain for

pre-shared key authentication

or the PKI domain used to

request a certificate for digital

signature authentication.

• To specify the keychain for

pre-shared key authentication:

keychain keychain-name

• To specify the PKI domain used to

request a certificate for digital

signature authentication:

certificate domain domain-name

Configure at least one

command as required.

By default, no IKE keychain or

PKI domain is specified for an

IKE profile.

5. Specify the IKE negotiation

mode for phase 1.

• In non-FIPS mode:

exchange-mode { aggressive |

main }

• In FIPS mode:

exchange-mode main

By default, the main mode is

used during IKE negotiation

phase 1.

6. Specify the IKE proposals for

the IKE profile to reference.

proposal proposal-number&<1-6>

By default, an IKE profile

references no IKE proposals

and uses the IKE proposals

configured in system view for

IKE negotiation.