F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

181

182

183

184

185

186

187

188

189

190

181

Ste

Command

Remarks

3. Enable IPsec RRI.

reverse-route [ remote-peer ip-address

[ gateway | static ] | static ]

Disabled by default.

To enable static IPsec RRI, specify

the static keyword. If the keyword

is not specified, dynamic IPsec RRI

is enabled.

4. Change the preference of

the static routes created by

IPsec RRI.

reverse-route preference

preference-value

Optional.

60 by default.

5. Set a tag for the static

routes created by IPsec RRI.

reverse-route tag tag-value

Optional.

0 by default.

IPsec RRI can operate in both tunnel mode and transport mode.

When you change the route attributes, static IPsec RRI deletes all static routes it has created and creates

new static routes. In contrast, dynamic IPsec RRI applies the new attributes only to subsequent static routes.

It does not delete or modify static routes it has created.

208BImplementing tunnel interface-based IPsec

The following is the generic configuration procedure for implementing tunnel interface-based IPsec:

1. Configure an IPsec transform set to specify the security protocols, authentication and encryption

algorithms, and encapsulation mode.

2. Configure an IPsec profile to associate data flows with the IPsec transform set, and to specify the

IKE peer parameters and the SA lifetime.

3. Configure an IPsec tunnel interface and apply the IPsec profile to the interface.

NOTE:

Because packets routed to the IPsec tunnel interface are all protected, the data protection scope, which is

required for IPsec policy configuration, is not needed in the IPsec profile.

Complete the following tasks to configure tunnel interface-based IPsec:

Task Remarks

792H

Configuring an IPsec transform set

Required.

An IPsec transform set for the IPsec

tunnel interface to reference

supports tunnel mode only.

793H

Configuring an IPsec profile Required.

794H

Configuring an IPsec tunnel interface Required.

795H

Applying a QoS policy to an IPsec tunnel interface Optional.

796H

Enabling the encryption engine Optional.

797H

Configuring the IPsec anti-replay function Optional.

798H

Configuring IPsec stateful failover Optional.