R3303-HP HSR6800 Routers Layer 3 - IP Services Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR6804 Router Chassis

311

312

313

314

315

316

317

318

319

320

302

Step Command Remarks

2. Create an IPsec profile and

enter IPsec profile view.

ipsec profile profile-name

By default, no IPsec profile is

created.

3. Specify the IPsec transform

sets for the IPsec profile to

reference.

transform-set

transform-set-name&<1-6>

By default, an IPsec profile

references no IPsec transform set.

4. Specify the IKE peer for the

IPsec profile to reference.

ike-peer peer-name

By default, an IPsec profile

references no IKE peer.

5. Enable and configure perfect

forward secrecy (PFS).

pfs { dh-group1 | dh-group2 |

dh-group5 | dh-group14 }

Optional.

By default, PFS is not used for

negotiation.

For information about PFS, see

Security Configuration Guide.

6. Configure the SA lifetime.

sa duration { time-based seconds |

traffic-based kilobytes }

Optional.

By default, an IPsec profile uses the

global SA lifetime.

For information about global SA

lifetime, see Security Configuration

Guide.

For more information about commands ipsec profile, transform-set, ike-peer, pfs, and sa duration, see

Security Command Reference.

Configuring DVPN tunnel parameters

Configuration guidelines

• When you configure a DVPN tunnel on an HSR6802/HSR6804/HSR6808 router, you must

execute the service command to specify the service card that forwards the traffic on the current

tunnel interface. For more information about the service command, see Layer 3—IP Services

Command Reference.

• If you configure the source address of a tunnel interface by specifying the source interface, the

tunnel takes the primary IP address of the source interface as its source address.

• To configure multiple DVPN tunnels that use GRE encapsulation, you must configure unique source

addresses and source interfaces for these tunnels.

• Tunnel interfaces of the same VPN domain must be configured with private addresses in the same

segment.

• Tunnel interfaces of the same VPN domain must be configured with the same DVPN keepalive

interval and transmission attempt limit.

• A DVPN tunnel interface can reference only one IPsec profile. To change the IPsec profile referenced

by a DVPN tunnel interface, you need to cancel the reference of the current IPsec profile and then

apply a new IPsec profile to the tunnel interface.