Manualshelf

R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution
251252253254255256257258259260
246
Figure 87 An IPsec VPN
You can advertise the static routes created by IPsec RRI in the internal network. IPsec RRI can quickly
create new routes for forwarding IPsec VPN traffic when an active link fails in a load balanced or stateful
failover environment, or when IPsec VPN traffic cannot reach the peer gateway through the default local
gateway.
Protocols and standards
RFC 2401, Security Architecture for the Internet Protocol
RFC 2402, IP Authentication Header
RFC 2406, IP Encapsulating Security Payload
RFC 4552, Authentication/Confidentiality for OSPFv3
RFC 4301, Security Architecture for the Internet Protocol
RFC 4302, IP Authentication Header
RFC 4303, IP Encapsulating Security Payload (ESP)
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features,
commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode.
Implementing IPsec
IPsec can be implemented based on ACLs, tunnel interfaces, or applications:
ACL-based IPsec uses ACLs to identify the data flows to be protected. To implement ACL-based IPsec,
configure IPsec policies, reference ACLs in the policies, and apply the policies to physical interfaces
(see "Implementing ACL-based IPsec")
. By using ACLs, you can customize IPsec policies as needed,
implementing IPsec flexibly.
Tunnel interface-based IPsec, or routing-based IPsec, depends on the routing mechanism to select
the data flows to be protected. To implement tunnel interface-based IPsec, configure IPsec profiles
and apply them to IPsec tunnel interfaces (see "Implementing tunnel interface-based IPsec")
. By
using IPsec profiles, this IPsec implementation method simplifies IPsec VPN configuration and
management, and improves the scalability of large VPN networks.
Application-based IPsec protects the packets of a service. This IPsec implementation method can be
used to protect IPv6 routing protocols. It does not require any ACL, nor does it depend on the
routing mechanism. To configure service-based IPsec, configure manual IPsec policies and bind the
policies to an IPv6 routing protocol. See "Configuring IPsec for IPv6 routing protocols."