Configuring An Ike-Based Ipsec Policy - HP FlexNetwork 10500 Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 10500 Series:
- Configuration manual (512 pages) ,
- Specifications (42 pages) ,
- Datasheet (20 pages)
Table of Contents
Advertisement
Step
8.
Configure keys for the
IPsec SA.
Configuring an IKE-based IPsec policy
In an IKE-based IPsec policy, the parameters are automatically negotiated through IKE.
To configure an IKE-based IPsec policy, use one of the following methods:
•
Directly configure it by configuring the parameters in IPsec policy view.
•
Configure it by using an existing IPsec policy template with the parameters to be negotiated
configured.
A device using an IPsec policy that is configured in this way cannot initiate an SA negotiation,
but it can respond to a negotiation request. The parameters not defined in the template are
determined by the initiator. When the remote end's information (such as the IP address) is
unknown, this method allows the remote end to initiate negotiations with the local end.
Configuration restrictions and guidelines
When you configure an IKE-based IPsec policy, follow these restrictions and guidelines:
•
The IPsec policies at the two tunnel ends must have IPsec transform sets that use the same
security protocols, security algorithms, and encapsulation mode.
•
The IPsec policies at the two tunnel ends must have the same IKE profile parameters.
•
You can specify a maximum of six IPsec transform sets for an IKE-based IPsec policy. During
an IKE negotiation, IKE searches for a fully matched IPsec transform set at the two ends of the
IPsec tunnel. If no match is found, no SA can be set up, and the packets expecting to be
protected will be dropped.
Command
•
Configure an authentication
key in hexadecimal format
for AH:
sa hex-key authentication
{ inbound | outbound } ah
{ cipher | simple }
key-value
•
Configure an authentication
key in character format for
AH:
sa string-key { inbound |
outbound } ah { cipher |
simple } key-value
•
Configure a key in character
format for ESP:
sa string-key { inbound |
outbound } esp { cipher |
simple } key-value
•
Configure an authentication
key in hexadecimal format
for ESP:
sa hex-key authentication
{ inbound | outbound } esp
{ cipher | simple }
key-value
•
Configure an encryption key
in hexadecimal format for
ESP:
sa hex-key encryption
{ inbound | outbound } esp
{ cipher | simple }
key-value
288
Remarks
By default, no keys are configured for
the IPsec SA.
Configure keys correctly for the security
protocol (AH, ESP, or both) you have
specified in the IPsec transform set
used by the IPsec policy.
If you configure a key in both the
character and the hexadecimal formats,
only the most recent configuration takes
effect.
If you configure a key in character
format for ESP, the device
automatically generates an
authentication key and an encryption
key for ESP.
Advertisement
Table of Contents
Troubleshooting
