HP 12500 Series Configuration Manual page 6

Managing public keys ············································································································································ 155
Overview ······································································································································································· 155
Public key configuration task list ································································································································· 156
Configuring a local asymmetric key pair on the local device ················································································· 156
Creating a local asymmetric key pair ··············································································································· 156
Displaying or exporting the local host public key ··························································································· 157
Destroying a local asymmetric key pair ············································································································ 158
Specifying the peer public key on the local device ·································································································· 158
Displaying and maintaining public keys ··················································································································· 159
Public key configuration examples ····························································································································· 160
Manually specifying the peer public key on the local device ········································································ 160
Importing a public key from a public key file ··································································································· 162
Configuring IPsec ···················································································································································· 165
Overview ······································································································································································· 165
Basic concepts ····················································································································································· 165
IPsec for IPv6 routing protocols ·························································································································· 168
IPsec RRI································································································································································ 168
Protocols and standards ····································································································································· 168
Implementing IPsec ······················································································································································· 168
Implementing ACL-based IPsec ··································································································································· 169
Configuring an ACL ············································································································································ 169
Configuring an IPsec proposal ·························································································································· 172
Configuring an IPsec policy ······························································································································· 174
Applying an IPsec policy group to an interface ······························································································· 178
Configuring the IPsec session idle timeout ········································································································ 178
Enabling ACL checking of de-encapsulated IPsec packets ············································································· 179
Configuring the IPsec anti-replay function ········································································································ 179
Configuring packet information pre-extraction ································································································ 180
Enabling invalid SPI recovery ···························································································································· 180
Configuring IPsec RRI ·········································································································································· 181
Configuring IPsec for IPv6 routing protocols ············································································································· 182
Displaying and maintaining IPsec ······························································································································ 183
IPsec configuration examples······································································································································ 183
Configuring a manual mode IPsec tunnel for IPv4 packets ············································································ 183
Configuring an IKE-based IPsec tunnel for IPv4 packets ················································································· 186
Configuring IPsec for RIPng ································································································································ 189
Configuring IPsec RRI ·········································································································································· 192
Configuring IKE ······················································································································································· 196
Overview ······································································································································································· 196
IKE security mechanism ······································································································································· 196
IKE operation ······················································································································································· 196
IKE functions ························································································································································· 197
Relationship between IKE and IPsec ·················································································································· 198
Protocols and standards ····································································································································· 198
IKE configuration task list ············································································································································ 198
Configuring a name for the local security gateway ································································································· 199
Configuring an IKE proposal ······································································································································ 199
Configuring an IKE peer ·············································································································································· 200
Setting keepalive timers ··············································································································································· 202
Setting the NAT keepalive timer ································································································································· 203
Configuring a DPD detector ········································································································································ 203
Disabling next payload field checking ······················································································································ 203
Displaying and maintaining IKE ································································································································· 204
iv