H3C Technologies H3C S12500-X Series Switches User Manual
Page 9
iv
Destroying a local key pair ········································································································································· 121
Configuring a peer public key ···································································································································· 122
Importing a peer host public key from a public key file ·················································································· 122
Entering a peer public key ································································································································· 122
Displaying and maintaining public keys ··················································································································· 123
Examples of public key management ························································································································ 123
Example for entering a peer public key ············································································································ 123
Example for importing a public key from a public key file ············································································· 125
Configuring IPsec ···················································································································································· 128
Overview ······································································································································································· 128
Security protocols and encapsulation modes ··································································································· 128
Security association ············································································································································· 130
Authentication and encryption ··························································································································· 130
IPsec implementation ··········································································································································· 131
Protocols and standards ····································································································································· 132
IPsec tunnel establishment ··········································································································································· 132
Implementing ACL-based IPsec ··································································································································· 132
Feature restrictions and guidelines ···················································································································· 132
ACL-based IPsec configuration task list ············································································································· 132
Configuring an ACL ············································································································································ 133
Configuring an IPsec transform set ···················································································································· 134
Configuring a manual IPsec policy···················································································································· 135
Configuring an IKE-based IPsec policy ············································································································· 137
Applying an IPsec policy to an interface ·········································································································· 139
Enabling ACL checking for de-encapsulated packets ······················································································ 140
Configuring the IPsec anti-replay function ········································································································ 140
Binding a source interface to an IPsec policy ·································································································· 141
Enabling QoS pre-classify ·································································································································· 142
Enabling logging of IPsec packets ····················································································································· 142
Configuring the DF bit of IPsec packets ············································································································ 142
Configuring SNMP notifications for IPsec ················································································································· 143
Displaying and maintaining IPsec ······························································································································ 144
IPsec configuration examples······································································································································ 144
Configuring a manual mode IPsec tunnel for IPv4 packets ············································································ 144
Configuring an IKE-based IPsec tunnel for IPv4 packets ················································································· 147
Configuring IKE ······················································································································································· 151
Overview ······································································································································································· 151
IKE negotiation process ······································································································································ 151
IKE security mechanism ······································································································································· 152
Protocols and standards ····································································································································· 153
IKE configuration prerequisites ··································································································································· 153
IKE configuration task list ············································································································································ 153
Configuring an IKE profile ·········································································································································· 154
Configuring an IKE proposal ······································································································································ 156
Configuring an IKE keychain ······································································································································ 157
Configuring the global identity information ·············································································································· 158
Configuring the IKE keepalive function ······················································································································ 158
Configuring the IKE NAT keepalive function ············································································································ 158
Configuring IKE DPD···················································································································································· 159
Enabling invalid SPI recovery ····································································································································· 160
Setting the maximum number of IKE SAs ··················································································································· 160
Configuring SNMP notifications for IKE ···················································································································· 160
Displaying and maintaining IKE ································································································································· 161