R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

181

182

183

184

185

186

187

188

189

190

180

• Change their route preference for equal-cost multipath (ECMP) routing or route backup. If multiple

routes to the same destination have the same preference, traffic is balanced among them. If multiple

routes to the same destination have different preference values, the route with the highest preference

forwards traffic and all other routes are backup routes.

• Change their tag value so the gateway can control the use of the static routes based on routing

policies.

To configure IPsec RRI:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter IPsec policy view or

IPsec policy template view.

• To enter IPsec policy view:

ipsec policy policy-name

seq-number [ isakmp | manual ]

• To enter IPsec policy template view:

ipsec policy-template

template-name seq-number

Configure either command.

3. Enable IPsec RRI.

reverse-route [ remote-peer ip-address

[ gateway | static ] | static ]

Disabled by default.

To enable static IPsec RRI, specify

the static keyword. If the keyword

is not specified, dynamic IPsec RRI

is enabled.

4. Change the preference of

the static routes created by

IPsec RRI.

reverse-route preference

preference-value

Optional.

60 by default.

5. Set a tag for the static

routes created by IPsec RRI.

reverse-route tag tag-value

Optional.

0 by default.

NOTE:

• IPsec RRI can work in both tunnel mode and transport mode.

• When you change the route attributes, static IPsec RRI deletes all static routes it has created and creates

new static routes. In contrast, dynamic IPsec RRI applies the new attributes only to subsequent static

routes. It does not delete or modify static routes it has created.

Configuring tunnel interface-based IPsec

NOTE:

The tunnel interface-based IPsec configuration is available only at the CLI.

Configuration task list

The following is the generic configuration procedure for implementing tunnel interface-based IPsec:

1. Configure an IPsec proposal to specify the security protocols, authentication and encryption

algorithms, and encapsulation mode.

2. Configure an IPsec profile to associate data flows with the IPsec proposal, and to specify the IKE

peer parameters and the SA lifetime.