Configuration procedure
Follow these guidelines when you configure a keychain:
To make sure only one key in a keychain is used at a time to authenticate packets to a peer, set non-overlapping sending lifetimes for the keys in the keychain.
The keys used by the local device and the peer device must have the same authentication algorithm and key string.
To configure a keychain:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Create a keychain and enter keychain view. | keychain keychain-name [ mode absolute ] | By default, no keychains exist. |
3. (Optional.) Set the kind value in the TCP Enhanced Authentication Option. | tcp-kind kind-value | By default, the kind value is 254. When the local device uses TCP to communicate with a peer device from another vendor, make sure both devices have the same kind value setting. If they do not have the same value, use this command to modify the kind value on the local device. |
4. (Optional.) Set an algorithm ID for a TCP authentication algorithm. | tcp-algorithm-id { hmac-md5 | md5 } algorithm-id | By default, the algorithm ID is 3 for the MD5 authentication algorithm, and is 5 for the HMAC-MD5 authentication algorithm. When the local device uses TCP to communicate with a peer device from another vendor, make sure both devices have the same algorithm ID setting. If they do not have the same algorithm ID, use this command to modify the algorithm ID on the local device. |
5. (Optional.) Set a tolerance time for accept keys in the keychain. | accept-tolerance { value | infinite } | By default, no tolerance time is configured for accept keys in a keychain. |
6. Create a key and enter key view. | key key-id | By default, no keys exist. |
7. Specify an authentication algorithm for the key. | authentication-algorithm { hmac-md5 | hmac-sha-256 | md5 } | By default, no authentication algorithm is specified for a key. |
8. Configure a key string for the key. | key-string { cipher | plain } string | By default, no key string is configured. |
9. Set the sending lifetime in UTC mode for the key. | send-lifetime utc start-time start-date { duration { duration-value | infinite } | to end-time end-date } | By default, the sending lifetime is not configured for a key. |
10. Set the receiving lifetime in UTC mode for the key. | accept-lifetime utc start-time start-date { duration { duration-value | infinite } | to end-time end-date } | By default, the receiving lifetime is not configured for a key. |
11. (Optional.) Specify the key as the default send key. | default-send-key | By default, no key in a keychain is specified as the default send key. |