H3C Technologies H3C MSR 50 User Manual
Page 389
4
Item Description
Local ID Type
Select the local ID type for IKE
negotiation phase 1. Options include:
•
IP Address—Uses an IP address as
the ID in IKE negotiation.
•
FQDN—Uses an FQDN type as the
ID in IKE negotiation. If this option is
selected, enter a name without any
at sign (@) for the local security
gateway, for example, foo.bar.com.
•
User FQDN—Uses a user FQDN
type as the ID in IKE negotiation. If
this option is selected, enter a name
string with an at sign (@) for the local
security gateway, for example,
[email protected].
configured here is identical to the
local gateway ID configured on its
peer.
•
In main mode, only the ID type of IP
address can be used in IKE
negotiation and SA establishment.
Selector
Select a method to identify the traffic to be protected by IPsec. Options include:
•
Characteristics of Traffic—Identifies traffic to be protected based on the source
address/wildcard and destination address/wildcard specified.
•
Designated by Remote Gateway—The remote gateway determines the data to be
protected.
IMPORTANT:
•
To make sure SAs can be set up, configure the source address/wildcard on one
peer as the destination address/wildcard on the other, and the destination
address/wildcard on one peer as the source address/wildcard on the other. If
you do not configure the parameters this way, SAs can be set up only when the IP
addresses configured on one peer are subsets of those configured on the other
and the peer with the narrower address range initiates SA negotiation.
•
If the data range is designated by the remote gateway, the local peer cannot
initiate a negotiation.
Source
Address/Wildcard
Destination
Address/Wildcard
Reverse Route Injection
Enable or disable IPsec RRI. When enabling IPsec RRI, you can specify a next hop
and change the preference of the static routes.
After an outbound IPsec SA is created, IPsec RRI automatically creates a static route
to the peer private network. You do not have to manually configure the static route.
IMPORTANT:
•
If you enable IPsec RRI and do not configure the static route, the SA negotiation
must be initiated by the remote gateway.
•
IPsec RRI creates static routes when IPsec SAs are set up, and delete the static
routes when the IPsec SAs are deleted.
•
To view the static routes created by IPsec RRI, select Advanced > Route Setup
[Summary] from the navigation tree.
Next Hop
Specify a next hop for the static routes.
If you do not specify any next hop, the remote tunnel endpoint’s address learned
during IPsec SA negotiation is used.