R2511-HP MSR Router Series Security Configuration Guide(V5)
163
• Configure the keys on all routers within the routed network scope in the same format. For example,
if you enter the keys in hexadecimal format on one router, do so across the routed network scope.
Before you configure a manual IPsec policy, configure ACLs used for identifying protected traffic and
IPsec transform sets. ACLs are not required for IPsec policies for an IPv6 protocol.
To configure a manual IPsec policy:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Create a manual IPsec
policy and enter its view.
ipsec policy policy-name
seq-number manual
By default, no IPsec policy exists.
3. Assign an ACL to the
IPsec policy.
security acl acl-number
Not needed for IPsec policies to be
applied to IPv6 routing protocols and
required for other applications.
By default, an IPsec policy references no
ACL.
The ACL supports match criteria of the
VPN attribute.
An IPsec policy can reference only one
ACL. If you apply multiple ACLs to an
IPsec policy, only the most recent one
takes effect.
4. Assign an IPsec
transform set to the IPsec
policy.
transform-set transform-set-name
By default, an IPsec policy references no
IPsec transform set.
A manual IPsec policy can reference only
one IPsec transform set. To change an
IPsec transform set for an IPsec policy,
you must remove the reference first.
5. Configure the local
address of the IPsec
tunnel
tunnel local ip-address
Not needed for IPsec policies to be
applied to IPv6 routing protocols and
required for other applications.
Not configured by default.
6. Configure the remote
address of the IPsec
tunnel
tunnel remote ip-address Not configured by default.
7. Configure an SPI for an
SA.
sa spi { inbound | outbound } { ah
| esp } spi-number
N/A