Manualshelf

R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution
281282283284285286287288289290
274
# Assign IPv6 addresses to interfaces. (Details not shown.)
# Define an ACL to identify data flows from subnet 555::0/64 to subnet 333::0/64.
<RouterB> system-view
[RouterB] acl ipv6 number 3101
[RouterB-acl-adv-3101] rule permit ipv6 source 555::/64 destination 333::/64
[RouterB-acl-adv-3101] quit
# Configure a static route to Host A.
[RouterB] ipv6 route-static 333::0 64 111::1
# Create an IPsec transform set named tran1.
[RouterB] ipsec transform-set tran1
# Specify the encapsulation mode as tunnel.
[RouterB-ipsec-transform-set-tran1] encapsulation-mode tunnel
# Specify the security protocol as ESP.
[RouterB-ipsec-transform-set-tran1] transform esp
# Specify the algorithms for the IPsec transform set.
[RouterB-ipsec-transform-set-tran1] esp encryption-algorithm des
[RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterB-ipsec-transform-set-tran1] quit
# Configure the IKE peer.
[RouterB] ike peer peer
[RouterB-ike-peer-peer] pre-share-key abcde
[RouterB-ike-peer-peer] remote-address ipv6 111::1
[RouterB-ike-peer-peer] quit
# Create an IPsec policy that uses IKE for IPsec SA negotiation.
[RouterB] ipsec policy use1 10 isakmp
# Apply the ACL.
[RouterB-ipsec-policy-isakmp-use1-10] security acl ipv6 3101
# Apply the IPsec transform set.
[RouterB-ipsec-policy-isakmp-use1-10] transform-set tran1
# Apply the IKE peer.
[RouterB-ipsec-policy-isakmp-use1-10] ike-peer peer
[RouterB-ipsec-policy-isakmp-use1-10] quit
# Apply the IPsec policy group to the interface.
[RouterB] interface gigabitethernet 3/0/2
[RouterB-GigabitEthernet3/0/2] ipsec policy use1
3. Verify the configuration:
After the configuration, IKE negotiation will be triggered to set up SAs when there is traffic between
subnet 333::0/64 and subnet 555::0/64. If IKE negotiation is successful and SAs are set up, the
traffic between the two subnets will be IPsec protected.
Configuring IPsec with IPsec tunnel interfaces
Network requirements
As shown in Figure 92, the gateway of the branch accesses the Internet through a dial-up line and
obtains the IP address dynamically. The headquarters accesses the Internet by using a fixed IP address.