R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

271

272

273

274

275

276

277

278

279

280

265

• The source address of the tunnel interface is the IP address of the local physical interface that

connects to the remote.

• The IPsec tunnel interfaces of the IPsec tunnel are configured with proper IPsec profiles.

• The expected IKE SA and IPsec SAs are established between the local security gateway and the

peer gateway. Use the display ike sa command to view the status the IKE SA and the IPsec SAs.

To configure an IPsec tunnel interface:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Create a tunnel interface

and enter its view.

interface tunnel number

By default, no tunnel interface

exists on the device.

3. Assign a private IP address

to the tunnel interface.

• To assign an IPv4 address:

ip address ip-address { mask |

mask-length } [ sub ]

• To assign a global unicast address

or site-local address:

{ ipv6 address { ipv6-address

prefix-length |

ipv6-address/prefix-length }

{ ipv6 address

ipv6-address/prefix-length

eui-64

• To assign a link-local address:

{ ipv6 address auto link-local

{ ipv6 address ipv6-address

link-local

Configure one type of address.

By default, no private IP address

is assigned to a tunnel interface.

4. Set the tunnel mode of the

tunnel interface to IPsec

over IPv4.

tunnel-protocol ipsec { ipv4 | ipv6 }

By default, the tunnel

encapsulation mode is GRE.

5. Specify the source address

or interface of the tunnel

interface.

source { ip-address | interface-type

interface-number }

By default, no source address or

interface is specified for a tunnel

interface.

If you specify an interface, the

tunnel interface will take the

primary IP address of the source

interface.

6. Specify the destination

address of the tunnel

interface.

destination ip-address

Optional for an IKE negotiation

responder, and required for an

IKE negotiation initiator.

By default, no tunnel destination

address is configured.

7. Apply an IPsec profile to

the tunnel interface.

ipsec profile profile-name

The IPsec profile must have been

created and have not been

applied to any DVPN tunnel

interface.

For more information about commands interface tunnel, tunnel-protocol, source and destination, see

Layer 3—IP Services Commands Reference.