H3C Technologies H3C S12500-X Series Switches User Manual
Page 9
iv
Destroying a local key pair ········································································································································· 121
Configuring a peer public key ···································································································································· 122
Importing a peer host public key from a public key file ·················································································· 122
Entering a peer public key ································································································································· 122
Displaying and maintaining public keys ··················································································································· 123
Examples of public key management ························································································································ 123
Example for entering a peer public key ············································································································ 123
Example for importing a public key from a public key file ············································································· 125
Configuring IPsec ···················································································································································· 128
Overview ······································································································································································· 128
Security protocols and encapsulation modes ··································································································· 128
Security association ············································································································································· 130
Authentication and encryption ··························································································································· 130
IPsec implementation ··········································································································································· 131
Protocols and standards ····································································································································· 132
IPsec tunnel establishment ··········································································································································· 132
Implementing ACL-based IPsec ··································································································································· 132
Feature restrictions and guidelines ···················································································································· 132
ACL-based IPsec configuration task list ············································································································· 132
Configuring an ACL ············································································································································ 133
Configuring an IPsec transform set ···················································································································· 134
Configuring a manual IPsec policy···················································································································· 135
Configuring an IKE-based IPsec policy ············································································································· 137
Applying an IPsec policy to an interface ·········································································································· 139
Enabling ACL checking for de-encapsulated packets ······················································································ 140
Configuring the IPsec anti-replay function ········································································································ 140
Binding a source interface to an IPsec policy ·································································································· 141
Enabling QoS pre-classify ·································································································································· 142
Enabling logging of IPsec packets ····················································································································· 142
Configuring the DF bit of IPsec packets ············································································································ 142
Configuring SNMP notifications for IPsec ················································································································· 143
Displaying and maintaining IPsec ······························································································································ 144
IPsec configuration examples······································································································································ 144
Configuring a manual mode IPsec tunnel for IPv4 packets ············································································ 144
Configuring an IKE-based IPsec tunnel for IPv4 packets ················································································· 147
Configuring IKE ······················································································································································· 151
Overview ······································································································································································· 151
IKE negotiation process ······································································································································ 151
IKE security mechanism ······································································································································· 152
Protocols and standards ····································································································································· 153
IKE configuration prerequisites ··································································································································· 153
IKE configuration task list ············································································································································ 153
Configuring an IKE profile ·········································································································································· 154
Configuring an IKE proposal ······································································································································ 156
Configuring an IKE keychain ······································································································································ 157
Configuring the global identity information ·············································································································· 158
Configuring the IKE keepalive function ······················································································································ 158
Configuring the IKE NAT keepalive function ············································································································ 158
Configuring IKE DPD···················································································································································· 159
Enabling invalid SPI recovery ····································································································································· 160
Setting the maximum number of IKE SAs ··················································································································· 160
Configuring SNMP notifications for IKE ···················································································································· 160
Displaying and maintaining IKE ································································································································· 161
- H3C S5560 Series Switches H3C WX6000 Series Access Controllers H3C WX5000 Series Access Controllers H3C WX3000 Series Unified Switches H3C LSWM1WCM10 Access Controller Module H3C LSWM1WCM20 Access Controller Module H3C LSQM1WCMB0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module H3C LSBM1WCM2A0 Access Controller Module H3C S9800 Series Switches H3C S5130 Series Switches H3C S5120 Series Switches