Configuration procedure
Follow these guidelines when you configure a keychain:
To make sure only one key in a keychain is used at a time to authenticate packets to a peer, set non-overlapping sending lifetimes for the keys in the keychain.
The keys used by the local device and the peer device must have the same authentication algorithm and key string.
To configure a keychain:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Create a keychain and enter keychain view. | keychain keychain-name [ mode absolute ] | By default, no keychains exist. |
3. Create a key and enter key view. | key key-id | By default, no keys exist. |
4. Specify an authentication algorithm for the key. | authentication-algorithm { hmac-md5 | md5 } | By default, no authentication algorithm is specified for a key. |
5. Configure a key string for the key. | key-string { cipher | plain } string | By default, no key string is configured. |
6. Set the sending lifetime in UTC mode for the key. | send-lifetime utc start-time start-date { duration { duration-value | infinite } | to end-time end-date } | By default, the sending lifetime is not configured for a key. |
7. Set the receiving lifetime in UTC mode for the key. | accept-lifetime utc start-time start-date { duration { duration-value | infinite } | to end-time end-date } | By default, the receiving lifetime is not configured for a key. |