Configure basic vpn domain settings, Configuring default ipsec and ike settings, Configuring an ipsec proposal – H3C Technologies H3C Intelligent Management Center User Manual

Page 73

Advertising
background image

63

Configure basic VPN domain settings

1.

Enter a name for the VPN domain in the Domain Name box.
IVM uses a case-insensitive name and a type to uniquely identify a VPN domain. The VPN
domains of the same type cannot have the same name.

2.

Enter a description for the VPN domain in the Description box.

3.

Select the IPsec VPN type for the VPN domain.

4.

Select one of the following action from the Actions upon Deployment Failure list:

{

Rollback and Stop Deployment.

{

Rollback and Continue with the Next Device.

5.

Select the Configure IPsec and IKE option to configure default IPsec and IKE settings, IPsec
proposal, and IKE proposal.
Skip this step if you do not need to configure default IPsec and IKE settings, IPsec proposal, and IKE
proposal.

Configuring default IPsec and IKE settings

1.

Select Main or Aggressive in the IKE Negotiation Mode field.

2.

Select YES or NO in the NAT Traversal field.
Only aggressive mode supports NAT traversal.

3.

Select Pre-Shared Key or CA Authentication in the IKE Authentication field:

{

If you select Pre-Shared Key, enter the preshared key in the Authentication Key box.

{

If you select CA Authentication, you need to set the CA domain for the hub and spoke devices
when you configure IPsec tunnels.

4.

Select Name or IP in the ID Type field for the IKE peer.
If NAT traversal is enabled, you must select Name. If the IKE negotiation mode is Main, you must
select IP.

5.

Select Tunnel or Transport in the Encapsulation Mode field.
If NAT traversal is enabled, you must select the Tunnel option.

6.

Select YES or NO in the Use Policy Template field.
If you select YES, the hub device only responds to negotiation requests from peers, without
initiating IKE negotiation. The IPsec policy template feature applies to the scenario where the IP

addresses of spoke devices are unknown.

7.

Select the PFS option, and select DH Group 1, DH Group 2, DH Group 5, DH Group 14, or Disable
from the list.

8.

Select YES or NO in the Set IPsec SA Lifetime field.
If you select YES, set the Time(s) and Traffic(KB). Time(s) specifies the lifetime (in seconds) of the
IPsec SA. Traffic(KB) specifies the maximum traffic (in KBs) that the IPsec SA can process. When

either the time or traffic condition is met, a new IPsec SA is negotiated.

9.

Click Next to configure security proposals, or click Accomplish to skip security proposal
configuration.

Configuring an IPsec proposal

1.

Click Add in the IPsec Proposal area.

2.

Enter a name for the IPsec proposal.

Advertising
Popular Brands
Popular manuals