R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

171

172

173

174

175

176

177

178

179

180

157

and apply them to IPsec tunnel interfaces (see "Implementing tunnel interface-based IPsec"). By

using IPsec profiles, this IPsec implementation method simplifies IPsec VPN configuration and

management, and improves the scalability of large VPN networks.

• Application-based IPsec protects the packets of a service. This IPsec implementation method can be

used to protect IPv6 routing protocols. It does not require any ACL, nor does it depend on the

routing mechanism. To configure service-based IPsec, configure manual IPsec policies and bind the

policies to an IPv6 routing protocol. See "Configuring IPsec for IPv6 routing protocols."

Implementing ACL-based IPsec

The following is the generic configuration procedure for implementing ACL-based IPsec:

1. Configure an ACL for identifying data flows to be protected.

2. Configure IPsec transform sets to specify the security protocols, and authentication and encryption

algorithms.

3. Configure an IPsec policy group to associate data flows with the IPsec transform sets and specify

the SA negotiation mode, the peer IP addresses (the start and end points of the IPsec path), the

required keys, and the SA lifetime.

4. Apply the IPsec policies to interfaces to finish IPsec configuration. To implement IPsec through an

encryption card, bind the IPsec policies to one or more encryption cards as well as applying IPsec

policies to the interfaces.

Complete the following tasks to configure ACL-based IPsec:

Task Remarks

Configuring an ACL

Required.

Basic IPsec configuration.

Configuring an IPsec transform set

Configuring an IPsec policy

Applying an IPsec policy group to an interface

Binding an IPsec policy, IPsec policy group, or IPsec profile to an encryption

card

Optional.

Enabling the encryption engine Optional.

Enabling the IPsec module backup function Required.

Configuring the IPsec session idle timeout Optional.

Enabling ACL checking of de-encapsulated IPsec packets Optional.

Configuring the IPsec anti-replay function Optional.

Configuring a shared source interface policy group Optional.

Configuring packet information pre-extraction Optional.

Enabling invalid SPI recovery Optional.

Configuring IPsec RRI Optional.

Enabling transparent data transmission without NAT Optional.

Enabling fragmentation before/after encryption Optional.