R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

171

172

173

174

175

176

177

178

179

180

162

Ste

Command

Remarks

6. Enable the ESN function.

esn enable

Optional.

By default, ESN is disabled.

Changes to an IPsec transform set affect only SAs negotiated after the changes. To apply the changes to

existing SAs, execute the reset ipsec sa command to clear the SAs so that they can be set up using the

updated parameters.

To modify an existing IPsec transform set, use the undo ipsec transform-set command to delete it, and

then configure a new one.

Configuring an IPsec policy

IPsec policies define which IPsec transform sets should be used to protect which data flows. An IPsec

policy is uniquely identified by its name and sequence number.

IPsec policies include the following categories:

• Manual IPsec policy—The parameters are configured manually, such as the keys, the SPIs, and the

IP addresses of the two ends in tunnel mode.

• IPsec policy that uses IKE—The parameters are automatically negotiated through IKE.

• GDOI IPsec policy—A GM in a GDOI group obtains the IPsec policy settings (such as encryption

and authentication algorithms) of the GDOI group from the KS.

Configuring a manual IPsec policy

To guarantee successful SA negotiations, follow these guidelines when configuring manual IPsec policies

at the two ends of an IPsec tunnel:

• The IPsec policies at the two ends must have IPsec transform sets that use the same security protocols,

security algorithms, and encapsulation mode.

• The remote IP address configured on the local end must be the same as the IP address of the remote

end.

• At each end, configure parameters for both the inbound SA and the outbound SA and make sure

that different SAs use different SPIs.

• The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true

of the local outbound SA and remote inbound SA.

• The keys for the local and remote inbound and outbound SAs must be in the same format. For

example, if the local inbound SA uses a key in characters, the local outbound SA and remote

inbound and outbound SAs must use keys in characters.

Follow these guidelines when you configure an IPsec policy for an IPv6 routing protocol:

• You do not need to configure ACLs or IPsec tunnel addresses.

• Within a certain routed network scope, the IPsec transform sets used by the IPsec policies on all

routers must have the same security protocols, security algorithms, and encapsulation mode. For

OSPFv3, the scope can be directly connected neighbors or an OSPFv3 area. For RIPng, the scope

can be directly connected neighbors or a RIPng process. For IPv6 BGP, the scope can be directly

connected neighbors or a neighbor group.

• All SAs (both inbound and outbound) within the routed network scope must use the same SPI and

keys.