R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis

Certificate request from an RSA Keon CA server in an NAT-PT network ······················································ 226

IKE negotiation with RSA digital signature from a Windows 2003 CA server ············································ 229

Certificate access control policy configuration example················································································· 232

Certificate import and export configuration example ····················································································· 233

Troubleshooting PKI configuration ······························································································································ 239

Failed to obtain the CA certificate ····················································································································· 239

Failed to obtain local certificates ······················································································································· 239

Failed to request local certificates ····················································································································· 240

Failed to obtain CRLs ·········································································································································· 241

Failed to import the CA certificate ····················································································································· 241

Failed to import a local certificate ····················································································································· 242

Failed to export certificates ································································································································ 242

Failed to set the storage path ····························································································································· 243

Configuring IPsec ···················································································································································· 244

Overview ······································································································································································· 244

Security protocols and encapsulation modes ··································································································· 244

Security association ············································································································································· 246

Authentication and encryption ··························································································································· 247

IPsec implementation ··········································································································································· 247

IPsec RRI································································································································································ 248

Protocols and standards ····································································································································· 249

FIPS compliance ··························································································································································· 249

Security strength ··························································································································································· 249

IPsec tunnel establishment ··········································································································································· 250

Implementing ACL-based IPsec ··································································································································· 250

Configuring an ACL ············································································································································ 251

Configuring an IPsec transform set ···················································································································· 253

Configuring a manual IPsec policy···················································································································· 255

Configuring an IKE-based IPsec policy ············································································································· 257

Applying an IPsec policy to an interface ·········································································································· 261

Enabling ACL checking for de-encapsulated packets ······················································································ 262

Configuring the IPsec anti-replay function ········································································································ 262

Binding a source interface to an IPsec policy ·································································································· 263

Enabling QoS pre-classify ·································································································································· 263

Enabling logging of IPsec packets ····················································································································· 264

Configuring the DF bit of IPsec packets ············································································································ 264

Configuring IPsec RRI ·········································································································································· 265

Configuring IPsec for IPv6 routing protocols ············································································································· 266

Configuration task list ········································································································································· 266

Configuring a manual IPsec profile ··················································································································· 266

Configuring SNMP notifications for IPsec ················································································································· 268

Displaying and maintaining IPsec ······························································································································ 268

IPsec configuration examples······································································································································ 269

Configuring a manual mode IPsec tunnel for IPv4 packets ············································································ 269

Configuring an IKE-based IPsec tunnel for IPv4 packets ················································································· 272

Configuring an IKE-based IPsec tunnel for IPv6 packets ················································································· 275

Configuring IPsec for RIPng ································································································································ 279

Configuring IKE ······················································································································································· 287

IKE negotiation process ······································································································································ 287

IKE security mechanism ······································································································································· 288