R3721-F3210-F3171-HP High-End Firewalls VPN Command Reference-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

111

112

113

114

115

116

117

118

119

120

104

• Within a certain network scope, each router must use the same SPI and keys for its inbound and

outbound SAs, and all routers must use the same SPI and keys. For OSPFv3, the scope can be

directly connected neighbors or an OSPFv3 area. For RIPng, the scope can be directly connected

neighbors or a RIPng process. For IPv6 BGP, the scope can be directly connected neighbors or a

neighbor group.

• Enter the keys in the same format on all routers. For example, if you enter the keys in hexadecimal

format on one router, do so across the defined scope.

This command is not available for FIPS mode.

Related commands: ipsec policy (system view).

Examples

# Configure the inbound and outbound SAs that use AH to use the keys abcdef and efcdab respectively.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] sa string-key inbound ah abcdef

[Sysname-ipsec-policy-manual-policy1-100] sa string-key outbound ah efcdab

# Configure the inbound and outbound SAs that use AH to use the key abcdef.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] sa string-key inbound ah abcdef

[Sysname-ipsec-policy-manual-policy1-100] sa string-key outbound ah abcdef

security acl

Syntax

security acl acl-number [ aggregation ]

undo security acl

View

IPsec policy view, IPsec policy template view

Default level

2: System level

Parameters

acl-number: Number of the ACL for the IPsec policy to reference, in the range of 3000 to 3999.

aggregation: Uses the data flow protection mode of aggregation. If you do not specify this keyword, the

standard mode is used.

Description

Use security acl to specify the ACL for the IPsec policy to reference.

Use undo security acl to remove the configuration.

By default, an IPsec policy references no ACL.

With an IKE-dependent IPsec policy configured, data flows can be protected in two modes:

• Standard mode, in which one tunnel protects one data flow. The data flow permitted by each ACL

rule is protected by one tunnel that is established separately for it.

• Aggregation mode, in which one tunnel protects all data flows permitted by all the rules of an ACL.