Configuring basic information – H3C Technologies H3C Intelligent Management Center User Manual
Page 80
70
{
Basic Information
{
Device Parameters
{
Security Proposals
{
Spoke Additional Settings
{
Hub Advanced Settings
{
Spoke Advanced Settings
Configuring basic information
1.
Configure the following settings in the Basic Information page:
{
IKE Negotiation Mode—Main or Aggressive mode for phase-1 IKE negotiation. This setting
cannot be modified. You can modify this setting only when you add the tunnel.
{
NAT Traversal—YES or NO. Only aggressive mode supports NAT traversal. This setting cannot
be modified. You can modify this setting only when you add the tunnel.
{
IKE Authentication—Pre-Shared Key or CA Authentication used to authenticate the IKE peer.
The authentication key is also displayed for Pre-Shared Key.
{
ID Type—Name or IP. If the ID type is Name, the Hub IKE Gateway Name and Spoke IKE
Gateway Name are also displayed.
{
Encapsulation Mode—Tunnel or Transport. If NAT traversal is enabled, you must select Tunnel.
This setting cannot be modified. You can modify this setting only when you add the tunnel.
{
Use Policy Template—YES or NO. This setting cannot be modified. You can modify this setting
only when you add the tunnel.
{
PFS—Select the PFS option, and select DH Group 1, DH Group 2, DH Group 5, DH Group 14,
or Disable from the list.
{
Set IPsec SA Lifetime—Select YES or NO in the Set IPsec SA Lifetime field.
If you select YES, set the Time(s) (in seconds) and Traffic(KB). When either the configured time
or traffic condition is met, a new IPsec SA is negotiated.
{
Generate Static Routes on Hub—Select No, Yes, or Reverse Route Inject (RRI). Use this option to
set static routes from the hub to the spoke network. If you select Reverse Route Inject, you also
need to configure the Next Hop, Recursive Route, and Route Policy options, which correspond
to the CLI command reverse-route [ remote-peer ip-address [ gateway | static ] | static ].
−
Next Hop—Select this option to specify a next hop. This setting corresponds to the CLI
keyword remote-peer. If no next hop is specified, the remote spoke address is used as the
next hop.
−
Recursive Route—Select Disable or Enable. This setting corresponds to the CLI keyword
gateway and it is available only when the next hop is specified. After you enable Recursive
Route, the hub generates two static routes to the spoke network. One route uses the spoke
address as the next hop, and the other route uses the specified next hop.
−
Route Policy—Select Static or Dynamic. This setting corresponds to the CLI keyword static.
RRI can generate static routes statically based on the ACL in the IPsec policy or dynamically
based on IPsec SA state. If Recursive Route is enabled, you must select Dynamic.
{
Generate Static Routes on Spoke Device—Select No or Yes. Use this option to set static routes
from the spoke to the hub network.
2.
Click OK.