EasyManuals Logo

HPE FlexNetwork MSR Series Comware 5 Security Configuration Guide

HPE FlexNetwork MSR Series
547 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #476 background imageLoading...
Page #476 background image
463
Step Command Remarks
5. Configure a registration
interface.
client registration interface
interface-type interface-number
Optional.
By default, the registration
interface is the output interface
of the route from the GM to the
KS.
Configuring a GDOI IPsec policy
A GDOI IPsec policy can comprise multiple entries. The GDOI IPsec policy is identified by a name
and each entry is identified by a sequence number. A smaller sequence number represents a higher
priority.
Perform this task to configure a GDOI IPsec policy and reference a GDOI GM group and a local ACL
for each entry. The GDOI GM group gives the KS addresses and group ID used by the GM for
registration. The ACL is used to filter packets. Packets matching a permit rule of the local ACL are
discarded. Packet matching a deny rule are forwarded in plain text.
After the GM successfully registers with a KS, the KS assigns a security policy that contains an ACL.
The GM uses this assigned ACL to determine packet encryption. Packets matching a permit rule of
the downloaded ACL are encrypted. Packets matching a deny rule are forwarded in plain text.
Packets that do not match any rule are forwarded in plain text.
The GM first uses the local ACL to match packets and then uses the downloaded ACL to match
packets that do not match the local ACL. Packets that fail to match the local and downloaded ACLs
are forwarded in plain text.
IPsec packets whose destination address is the local device do not match against the local ACL in
the GDOI IPsec policy. They only match against the downloaded ACL.
A GDOI IPsec policy does not apply to GDOI protocol packets or non-first fragments.
To configure a GDOI IPsec policy:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Create a GDOI IPsec policy
entry and enter GDOI
IPsec policy entry view.
ipsec policy
policy-name
seq-number
gdoi
By default, no GDOI IPsec policy
exists.
For more information about this
command, see HPE FlexNetwork
MSR Router Series Comware 5
Security Command Reference.
3. Reference a GDOI GM
group for the GDOI IPsec
policy entry.
group
group-name
By default, no GDOI GM group is
referenced.
You can reference only one GDOI
GM group for a GDOI IPsec policy
entry. For a GDOI IPsec policy
entry to take effect, the
referenced GDOI GM group must
have correct KS addresses and
group ID.

Table of Contents

Other manuals for HPE FlexNetwork MSR Series

Preview: Configuration Guide
Configuration Guide861 pages
Preview: Comware 7 Layer 3 - Ip Services Configuration Guides
Comware 7 Layer 3 - Ip Services Configuration Guides554 pages
Preview: Guide
Guide213 pages
Preview: Command Reference
Command Reference120 pages
Preview: Comware 5 Layer 2 - Wan Access Configuration Guide
Comware 5 Layer 2 - Wan Access Configuration Guide420 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the HPE FlexNetwork MSR Series and is the answer not in the manual?

HPE FlexNetwork MSR Series Specifications

General IconGeneral
BrandHPE
ModelFlexNetwork MSR Series
CategoryNetwork Router
LanguageEnglish

Related product manuals