R3303-HP HSR6800 Routers Security Configuration Guide
87
[GM3-gdoi-gm-group-1] server address 100.1.1.100
[GM3-gdoi-gm-group-1] server address 200.2.2.200
[GM3-gdoi-gm-group-1] quit
# Create a GDOI IPsec policy.
[GM3] ipsec policy map 1 gdoi
# Reference GDOI GM group 1 for the GDOI IPsec policy.
[GM3-ipsec-policy-gdoi-map-1] group 1
[GM3-ipsec-policy-gdoi-map-1] quit
# Apply the IPsec policy to interface Ethernet 1/1.
[GM3] interface ethernet 1/1
[GM3-Ethernet1/1] ipsec policy map
[GM3-Ethernet1/1] quit
Verifying the configuration
After you complete the configuration, GM 1, GM 2, and GM 3 register with KS 1.
# Execute the display ike sa command on GM 1.
[GM1] display ike sa
total phase-1 SAs: 2
connection-id peer flag phase doi
-----------------------------------------------------------------
658 100.1.1.100 RD|ST 1 GROUP
659 100.1.1.100 RD|RK 1 GROUP
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT RK--REKEY
The output shows the IKE SA and rekey SA generated after IKE negotiation. The SA with connection-id of
658 is the IKE SA, and the SA with connection-id of 659 is the rekey SA.
# Execute the display ipsec sa command on GM 1 to display IPsec SAs.
[GM1] display ipsec sa
===============================
Interface: Ethernet1/1
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "map"
sequence number: 1
mode: gdoi
-----------------------------
PFS: N, DH group: none
tunnel:
local address: 1.1.1.1
remote address: 0.0.0.0
flow:
sour addr: 10.1.1.0/255.255.255.0 port: 0 protocol: IP
dest addr: 10.1.2.0/255.255.255.0 port: 0 protocol: IP