Configuring An Ike Peer - HP 12500 Series Configuration Manual

Step
3. Specify an encryption
algorithm for the IKE
proposal.
4. Specify an authentication
method for the IKE
proposal.
5. Specify an authentication
algorithm for the IKE
proposal.
6. Specify a DH group for key
negotiation in phase 1.
7. Set the ISAKMP SA lifetime
for the IKE proposal.

Configuring an IKE peer

For an IPsec policy that uses IKE, you must configure an IKE peer by performing the following tasks:
Specify the IKE negotiation mode (main mode) for the local end to use in IKE negotiation phase 1.
•
When acting as the IKE negotiation responder, the local end uses the IKE negotiation mode of the
remote end.
Specify the IKE proposals for the local end to use when acting as the IKE negotiation initiator. When
•
acting as the responder, the local end uses the IKE proposals configured in system view for
negotiation.
• Configure a pre-shared key for pre-shared key authentication or a PKI domain for digital signature
authentication.
Specify the ID type for the local end to use in IKE negotiation phase 1. With pre-shared key
•
authentication, the ID type must be IP address for main mode IKE negotiation and can be IP address,
FQDN, or user FQDN for aggressive mode IKE negotiation.
Specify the name or IP address of the local security gateway. You perform this task only when you
•
want to specify a special address, a loopback interface address, for example, as the local security
gateway address.
Specify the name or IP address of the remote security gateway. For the local end to initiate IKE
•
negotiation, you must specify the name or IP address of the remote security gateway on the local
end so the local end can find the remote end.
Enable NAT traversal. If there is NAT gateway on the path for tunneling, you must configure NAT
•
traversal at the two ends of the IPsec tunnel, because one end may use a public address while the
other end uses a private address.
Specify the DPD detector for the IKE peer.
•
Command
encryption-algorithm aes-cbc
[ key-length ]
authentication-method
{ pre-share | rsa-signature }
authentication-algorithm sha
dh { group2 | group5 | group14 }
sa duration seconds
200
Remarks
Optional.
128-bit AES in CBC mode by default.
Optional.
Pre-shared key by default.
Optional.
SHA1 by default.
Optional.
The default DH group is group2 (the
1024-bit DH group).
Optional.
86400 seconds by default.
Before an ISAKMP SA expires, IKE
negotiates a new SA to replace it. DH
calculation in IKE negotiation takes
time, especially on low-end devices. To
prevent SA updates from influencing
normal communication, set the lifetime
greater than 10 minutes.