Configuration guidelines – H3C Technologies H3C MSR 50 User Manual

125

c.

Enter con as the IPsec connection name, select Ethernet0/2 as the gateway interface, enter

2.2.2.1 as the remote gateway IP address, select Certificate as the authentication method, and
select CN=router-b for the certificate, select Characteristics of Traffic as the selector type, enter

10.1.1.0/0.0.0.255 as the source IP address/wildcard, and enter 11.1.1.0/0.0.0.255 as the

destination IP address/wildcard.

d.

Click Apply.

Configuration guidelines

When you configure PKI, follow these guidelines:

•

Make sure the clocks of entities and the CA are synchronous. Otherwise, the validity period of
certificates will be abnormal.

•

The Windows 2000 CA server has some restrictions on the data length of a certificate request. If the
PKI entity identity information in a certificate request goes beyond a certain limit, the server will not

respond to the certificate request.

•

The SCEP plug-in is required when you use the Windows Server as the CA. In this case, specify RA
as the authority for certificate request when you configure the PKI domain.

•

The SCEP plug-in is not required when you use the RSA Keon software as the CA. In this case,
specify CA as the authority for certificate request when you configure the PKI domain.