F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Network Management Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

841

842

843

844

845

846

847

848

849

850

819

Ste

Command

Remarks

1322. Enable MD5 authentication when

establishing a TCP connection to the

peer or peer group.

peer { ipv6-group-name |

ipv6-address } password

{ cipher | simple } password

Not enabled by default.

953BApplying an IPsec policy to an IPv6 BGP peer or peer group

To protect routing information and defend attacks, IPv6 BGP can authenticate protocol packets by using

an IPsec policy.

Outbound IPv6 BGP packets carry the Security Parameter Index (SPI) defined in the IPsec policy. A device

uses the SPI carried in a received packet to match against the configured IPsec policy. If they match, the

device accepts the packet; otherwise, it discards the packet and will not establish a neighbor relationship

with the sending device.

1758BConfiguration prerequisites

Before applying an IPsec policy to a peer or peer group, complete the following tasks:

• Create an IPsec proposal.

• Create an IPsec policy.

For more information about IPsec policy configuration, see Security Configuration Guide.

1759BConfiguration procedure

An IPsec policy used for IPv6 BGP can be only in manual mode. For more information, see VPN

Configuration Guide.

To apply an IPsec policy to a peer or peer group

Ste

Command

Remarks

1323. Enter system view.

system-view N/A

1324. Enter BGP view.

bgp as-number N/A

1325. Enter IPv6 address

family view.

ipv6-family N/A

1326. Apply an IPsec

policy to a peer or peer

group.

peer { group-name | ip-address } ipsec-policy

policy-name

Not configured by default.

306B

Configuring a large-scale IPv6 BGP network

In a large-scale IPv6 BGP network, configuration and maintenance become inconvenient because of too

many peers. Configuring peer groups makes management easier and improves route distribution

efficiency. Peer groups include IBGP peer groups, where peers belong to the same AS, and EBGP peer

groups, where peers belong to different ASs. If peers in an EBGP group belong to the same external AS,

the EBGP peer group is a pure EBGP peer group, and if not, a mixed EBGP peer group.

In a peer group, all members have a common policy. Using the COMMUNITY attribute can make a set

of IPv6 BGP routers in multiple ASs have the same policy, because community sending between IPv6

BGP peers is not limited by AS.