Manualshelf

R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router
171172173174175176177178179180
159
Configure Router A:
acl number 3000
rule 0 permit ip source 1.1.1.0 0.0.0.255 destination 2.2.2.0 0.0.0.255
rule 1 deny ip
acl number 3001
rule 0 permit ip source 1.1.2.0 0.0.0.255 destination 3.3.3.0 0.0.0.255
rule 1 deny ip
#
ipsec policy test 1 isakmp
security acl 3000
ike-peer aa
transform-set 1
#
ipsec policy test 2 isakmp
security acl 3001
ike-peer bb
transform-set 1
Configure Router B:
acl number 3001
rule 0 permit ip source 3.3.3.0 0.0.0.255 destination 1.1.2.0 0.0.0.255
rule 1 deny ip
#
ipsec policy test 1 isakmp
security acl 3001
ike-peer aa
transform-set 1
Mirror image ACLs
To make sure that SAs can be set up and the traffic protected by IPsec can be processed correctly at the
remote peer, on the remote peer, create a mirror image ACL rule for each ACL rule created at the local
peer. As shown in Figure 54,
ACL rules on Router B are mirror images of the rules on Router A. This makes
sure that SAs can be created successfully for the traffic between Host A and Host C and the traffic
between Network 1 and Network 2.
Figure 54 Mirror image ACLs
If the ACL rules on peers do not form mirror images of each other, SAs can be set up only when both of
the following requirements are met: