beautypg.com

Configuring a name for the local security gateway, Configuring an ike proposal – H3C Technologies H3C SecPath F1000-E User Manual

Page 147

background image

135

Task Remarks

Setting keepalive timers

Optional.

Setting the NAT keepalive timer

Optional.

Configuring a DPD detector

Optional.

Disabling next payload field checking

Optional.

Configuring a name for the local security gateway

If the IKE negotiation peer uses the security gateway name as its ID to initiate IKE negotiation (that is, the

id-type name or id-type user-fqdn command is configured on the initiator), configure the ike local-name

command in system view or the local-name command in IKE peer view on the local device. If you

configure both commands, the name configured by in IKE peer view is used.
To configure a name for the local security gateway:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Configure a name for the
local security gateway.

ike local-name name

Optional.
By default, the device name is used as

the name of the local security gateway.

Configuring an IKE proposal

An IKE proposal defines a set of attributes describing how IKE negotiation should take place. You may

create multiple IKE proposals with different preferences. The preference of an IKE proposal is represented
by its sequence number, and the lower the sequence number, the higher the preference.
Two peers must have at least one matching IKE proposal for successful IKE negotiation. During IKE

negotiation, the initiator sends its IKE proposals to the peer, and the peer searches its own IKE proposals

for a match. The search starts from the one with the lowest sequence number and proceeds in the
ascending order of sequence number until a match is found or all the IKE proposals are found

mismatching. The matching IKE proposals will be used to establish the secure tunnel.
Two matching IKE proposals have the same encryption algorithm, authentication method, authentication

algorithm, and DH group. The SA lifetime will take the smaller one of the settings on the two sides.
By default, there is an IKE proposal, which has the lowest preference and uses the default encryption

algorithm, authentication method, authentication algorithm, DH group, and ISAKMP SA lifetime.
To configure an IKE proposal:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Create an IKE proposal
and enter its view.

ike proposal proposal-number N/A

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: