205
Step Command Remarks
7. Set the ISAKMP SA
lifetime for the IKE
proposal.
sa
duration
seconds
Optional.
86400 seconds by default.
Before an ISAKMP SA expires, IKE
negotiates a new SA to replace it. DH
calculation in IKE negotiation takes
time, especially on low-end devices.
To prevent SA updates from
influencing normal communication,
set the lifetime greater than 10
minutes.
Configuring an IKE peer
For an IPsec policy that uses IKE, you must configure an IKE peer by performing the following tasks:
• Specify the IKE negotiation mode for the local end to use in IKE negotiation phase 1. If the IP
address of the remote end is obtained dynamically and pre-shared key authentication is used,
Hewlett Packard Enterprise recommends setting the IKE negotiation mode of the local end to
aggressive. When acting as the IKE negotiation responder, the local end uses the IKE
negotiation mode of the remote end.
• Specify the IKE proposals for the local end to use when acting as the IKE negotiation initiator.
When acting as the responder, the local end uses the IKE proposals configured in system view
for negotiation.
• Configure a pre-shared key for pre-shared key authentication or a PKI domain for digital
signature authentication.
• Specify the ID type for the local end to use in IKE negotiation phase 1. With pre-shared key
authentication, the ID type must be IP address for main mode IKE negotiation and can be IP
address, FQDN, or user FQDN for aggressive mode IKE negotiation.
• Specify the name or IP address of the local security gateway. You perform this task only when
you want to specify a special address, a loopback interface address, for example, as the local
security gateway address.
• Specify the name or IP address of the remote security gateway. For the local end to initiate IKE
negotiation, you must specify the name or IP address of the remote security gateway on the
local end so the local end can find the remote end.
• Enable NAT traversal. If there is NAT gateway on the path for tunneling, you must configure
NAT traversal at the two ends of the IPsec tunnel, because one end might use a public address
while the other end uses a private address.
• Specify the DPD detector for the IKE peer.
To configure an IKE peer:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Create an IKE peer and
enter IKE peer view.
ike peer
peer-name N/A
3. Specify the IKE negotiation
mode for phase 1.
exchange-mode
{
aggressive
|
main
}
Optional.
The default is
main
.
In FIPS mode, the aggressive
mode is not supported.
To Next Page
Loading...
Need help?
General
