Modifying an ipsec vpn domain, Modifying the basic settings – H3C Technologies H3C Intelligent Management Center User Manual

156

Modifying an IPsec VPN domain

An IPsec VPN domain contains IPsec and IKE settings for tunnels in the domain. IPsec tunnels in a VPN

domain inherit the default IPsec and IKE settings of the VPN domain. You can modify IPsec and IKE

settings for the VPN domain. The new settings take effect only on newly added tunnels and do not affect
existing tunnels.

Modifying the basic settings

1.

Click the Service tab.

2.

From the navigation tree, select IPsec VPN Manager > IPsec Resources > VPN Domains.
The VPN Domain List displays all VPN domains.

3.

Click the Modify icon

for the IPsec VPN domain you want to modify.

The Modify IPsec VPN Domain Settings page appears.
The page contains two tabs: Basic Settings and Security Proposals. By default, the Basic Settings
tab is displayed.

4.

Modify the following parameters:

{

Domain Name—Modify the name of the IPsec VPN domain. IVM uses the Domain Name +
Type combination to uniquely identify a VPN domain. The VPN domain name is a

case-insensitive string and must be unique among all VPN domains of the same type.

{

Description—Modify the description of the IPsec VPN domain.

{

Type—The type is IPsec VPN and this field cannot be modified.

{

Actions upon Deployment Failure—Select the action to take on tunnel deployment failures.
Options are:

−

Roll Back and Stop Deployment—Clears the tunnel configuration on the failed device and
stops deploying tunnel configurations to other devices.

−

Roll Back and Continue with Next Device—Clears the tunnel configuration on the failed
device and continue to deploy tunnel configurations to other devices.

5.

Select the Configure IPsec and IKE to configure the default IPsec and IKE settings, IPsec proposal,
and IKE proposal.
The Use default IPsec and IKE configurations area appears only when the Configure IPsec and IKE
option is selected.

6.

Configure the following parameters in the area:

{

IKE Negotiation Mode—Select the key negotiation mode used in IKE negotiation phase 1: Main
or Aggressive. Main mode is slower but more secure than aggressive mode.

{

NAT Traversal—Select Yes or No to enable or disable NAT traversal. You must enable NAT
traversal if a NAT device exists between the IPsec tunnel endpoints. Only aggressive mode

supports NAT traversal.

{

IKE Authentication—Select the authentication method used by the two IKE peers: Pre-Shared
Key or CA Authentication.

−

If you select Pre-Shared Key, enter the pre-shared key in the Authentication Key field.

−

If you select CA Authentication, you must specify the CA domain for the hub and spoke
when you configure IPsec tunnels.