Configuring An Ike Keychain - HP FlexNetwork 10500 Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 10500 Series:
- Configuration manual (512 pages) ,
- Specifications (42 pages) ,
- Datasheet (20 pages)
Table of Contents
Advertisement
Step
4.
Specify an authentication
method for the IKE
proposal.
5.
Specify an authentication
algorithm for the IKE
proposal.
6.
Specify a DH group for key
negotiation in phase 1.
7.
Set the IKE SA lifetime for
the IKE proposal.
Configuring an IKE keychain
Perform this task when you configure the IKE to use the pre-shared key for authentication.
Follow these guidelines when you configure an IKE keychain:
1.
Two peers must be configured with the same pre-shared key to pass pre-shared key
authentication.
2.
You can specify the local address configured in IPsec policy or IPsec policy template view
(using the local-address command) for the IKE keychain to be applied. If no local address is
configured, specify the IP address of the interface to which the IPsec policy is applied.
3.
You can specify a priority number for the IKE keychain. To determine the priority of an IKE
keychain:
a. The device examines the existence of the match local address command. An IKE
keychain with the match local address command configured has a higher priority.
b. If a tie exists, the device compares the priority numbers. An IKE keychain with a smaller
priority number has a higher priority.
c. If a tie still exists, the device prefers an IKE keychain configured earlier.
To configure the IKE keychain:
Step
1.
Enter system view.
2.
Create an IKE keychain
and enter its view.
Command
authentication-method
{ dsa-signature | pre-share |
rsa-signature }
•
In non-FIPS mode:
authentication-algorithm
{ md5 | sha | sha256 | sha384 |
sha512 }
•
In FIPS mode:
authentication-algorithm { sha
| sha256 | sha384 | sha512 }
•
In non-FIPS mode:
dh { group1 | group14 | group2
| group24 | group5 }
•
In FIPS mode:
dh { group14 | group24 }
sa duration seconds
Command
system-view
ike keychain keychain-name
[ vpn-instance vpn-name ]
319
Remarks
By default, an IKE proposal
uses the pre-shared key
authentication method.
By default, an IKE proposal
uses the HMAC-SHA1
authentication algorithm.
By default:
•
In non-FIPS mode, DH
group1 (the 768-bit DH
group) is used.
•
In FIPS mode, DH group14
(the 2048-bit DH group) is
used.
By default, the IKE SA lifetime is
86400 seconds.
Remarks
N/A
By default, no IKE keychain
exists.
Advertisement
Table of Contents
Troubleshooting
