beautypg.com

Password control configuration example, Network requirements, Configuring an ike keychain – H3C Technologies H3C S12500-X Series Switches User Manual

Page 169

background image

157

Step Command

Remarks

6.

Specify a DH group for key
negotiation in phase 1.

In non-FIPS mode:

dh { group1 | group14 | group2 |
group24 | group5 }

In FIPS mode:

dh group14

By default:

In non-FIPS mode, DH group1

(the 768-bit DH group) is

used.

In FIPS mode, DH group14

(the 2048-bit DH group) is

used.

7.

Set the IKE SA lifetime for

the IKE proposal.

sa duration seconds

By default, the IKE SA lifetime is
86400 seconds.

104B

Configuring an IKE keychain

Perform this task when you configure the IKE to use the pre-shared key for authentication.
Follow these guidelines when you configure an IKE keychain:

1.

Two peers must be configured with the same pre-shared key to pass pre-shared key authentication.

2.

You can specify the local address configured in IPsec policy view (using the local-address
command) for the IKE keychain to be applied. If no local address is configured, specify the IP

address of the interface that references the IPsec policy.

3.

You can specify a priority number for the IKE keychain. To determine the priority of an IKE
keychain:

a.

The device examines the existence of the match local address command. An IKE keychain with
the match local address command configured has a higher priority.

b.

If a tie exists, the device compares the priority numbers. An IKE keychain with a smaller priority

number has a higher priority.

c.

If a tie still exists, the device prefers an IKE keychain configured earlier.

To configure the IKE keychain:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Create an IKE keychain and
enter its view.

ike keychain keychain-name
[ vpn-instance vpn-name ]

By default, no IKE keychain
exists.

3.

Configure a pre-shared key.

pre-shared-key { address
{ ipv4-address [ mask | mask-length ] |

ipv6 ipv6-address [ prefix-length ] } |
hostname host-name } key { cipher

cipher-key | simple simple-key }

By default, no pre-shared key is
configured.
For security purposes, all
pre-shared keys, including those

configured in plain text, are

saved in cipher text to the
configuration file.

4.

(Optional.) Specify a local
interface or IP address to

which the IKE keychain can

be applied.

match local address { interface-type
interface-number | { ipv4-address |
ipv6 ipv6-address } [ vpn-instance

vpn-name ] }

By default, an IKE keychain can
be applied to any local interface

or IP address.

5.

(Optional.) Specify a
priority for the IKE keychain. priority number

The default priority is 100.

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: