458
one KS, and import the key pair to the other KSs to ensure the key pair consistency. For
information about exporting and importing key pairs, see "Managing public keys."
• To protect unicast traffic, the ACL referenced by the IPsec policy must have rules in pairs. Each
pair of rules identifies a bidirectional traffic flow.
• To protect multicast traffic, the destination address specified in the rekey ACL must be different
from the destination address of any service traffic.
• The same rekey ACL must be specified for the GDOI KSs that back up each other. If different
rekey ACLs configured on the primary KS and secondary KSs, the GMs that have registered
with the secondary KSs cannot receive the multicast rekey messages from the primary KS.
• The ACL referenced by an IPsec policy can have lots of rules, but whether the rules can be
assigned to GMs depends on the size of the GDOI packet and the number of TEKs. For a GDOI
KS group that has only one IPsec policy, you can configure a maximum number of 200 rules for
the referenced ACL. For a GDOI KS group that has multiple IPsec policies, determine the
maximum number of rules (less than 200) according to the size of the GDOI packet and the
number of TEKs.
• Configure the same IPsec policy within the GDOI KS group to which the GDOI KSs that back up
each other belong. In addition, the referenced ACL, the referenced IPsec profile , and the IPsec
SA lifetime configured must be the same.
NOTE:
When a KS continually performs rekey operations, it generates lots of TEKs and might fail to assign
all TEKs and ACL rules.
To configure basic settings for a GDOI KS group:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Create a GDOI KS group
and enter GDOI KS group
view.
gdoi ks group
group-name
By default, no GDOI KS group
is created.
3. Configure an ID for the
GDOI KS group.
identity
{
address
ip-address |
number
number }
By default, no GDOI group ID is
specified.
Specify an IP address or a
number as the group ID.
4. Reference a key pair for
KS rekey.
rekey authentication public-key rsa
key-name
By default, no key pair is
referenced.
5. Specify a rekey ACL.
rekey acl
{
acl-number
|
name
acl-name }
By default, no rekey ACL is
specified.
6. Create an IPsec policy for
the GDOI KS group and
enter GDOI KS group
IPsec policy view.
ipsec
sequence-number
By default, no IPsec policy is
created.
You can configure multiple
IPsec policies for a GDOI KS
group.
7. Reference an IPsec
profile for the IPsec policy.
profile
ipsec-profile-name
By default, no IPsec profile is
referenced.
For more information about
configuring an IPsec profile,
see "Configuring IPsec."
8. Reference an ACL for the
IPsec policy.
security acl
{
acl-number |
name
acl-name}
By default, no ACL is
referenced.
To Next Page
Loading...
Need help?
General
