To Next Page

To Previous Page

297

Step

Command

Remarks

{ ipv4-address [ mask | mask-length ] |

ipv6

ipv6-address [ prefix-length ] } |

hostname

host-name }

key

{

cipher

cipher-key |

simple

simple-key }

In Release 1121 and later:

• In non-FIPS mode:

pre-shared-key { address

{ ipv4-address [

mask |

mask-length ] | ipv6

ipv6-address [ prefix-length ] } |

hostname host-name } key

{ cipher cipher-key | simple

simple-key }

• In FIPS mode:

pre-shared-key { address

{ ipv4-address [

mask |

mask-length ] | ipv6

ipv6-address [ prefix-length ] } |

hostname host-name } key

[cipher cipher-key ]

For security purposes, all

pre-shared keys, including those

configured in plain text, are

saved in cipher text

to the

configuration file.

4. (Optional.) Specify a local

interface or IP

address to

which the IKE keychain can

be applied.

match local address

{

interface-type

interface-number

{ ipv4-address

ipv6

ipv6-address } [

vpn-instance

vpn-name ] }

By default, an IKE keychain can

be applied to any local interface

or IP address.

(Optional.) Specify a

priority for the IKE

keychain.

priority

number The default priority is 100.

Configuring the global identity information

Follow these guidelines when you configure the global identity information for the local IKE:

• The global identity can be used by the device for all IKE SA negotiations, and the local identity

(set by the local-identity command) can be used only by the device that uses the IKE profile.

• When signature authentication is used, you can set any type of the identity information.

• When pre-shared key authentication is used, you cannot set the DN as the identity.

To configure the global identity information:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure the global identity

to be used by the local end.

ike identity

{

address

{

ipv4-address |

ipv6

ipv6-address

} |

fqdn

[ fqdn-name ] |

user-fqdn

[ user-fqdn-name ] }

By default, the IP address of the

interface to which the IPsec policy or

IPsec policy

template is applied is

used as the IKE identity.

3. (Optional.) C

onfigure the

local device to always obtain

the identity information from

the

local certificate for

signature authentication.

ike signature-identity

from-certificate

By default, the local end uses the

identity information specified by

local-identity

ike identity

for

signature authentication.

Configure this command when the

aggressive

mode and signature

authentication are used and the

device interconnects with a Comware

5-based peer device. Comware 5

Brand	HPE
Model	FlexNetwork 5510 HI Series
Category	Switch
Language	English

HPE FlexNetwork 5510 HI Series Security Configuration Guide

Table of Contents

Other manuals for HPE FlexNetwork 5510 HI Series

Questions and Answers:

HPE FlexNetwork 5510 HI Series Specifications

Related product manuals