R2511-HP MSR Router Series Security Configuration Guide(V5)
165
Ste
p
Command
Remar
k
3. Configure an IPsec
connection name.
connection-name name
Optional.
By default, no IPsec connection
name is configured.
4. Assign an ACL to the IPsec
policy.
security acl acl-number
[ aggregation ]
By default, an IPsec policy
references no ACL.
5. Assign IPsec transform sets
to the IPsec policy.
transform-set
transform-set-name&<1-6>
By default, an IPsec policy
references no IPsec transform set.
With SAs to be established
through IKE negotiation, an IPsec
policy can reference up to six
IPsec transform sets. During
negotiation, IKE searches for a
fully matched IPsec transform set
at the two ends of the expected
IPsec tunnel. If no match is found,
no SA can be set up and the
packets expecting to be
protected will be dropped.
6. Specify an IKE peer for the
IPsec policy.
ike-peer peer-name [ primary ] N/A
7. Specify an IKEv2 profile for
the IPsec policy.
ikev2 profile profile-name
Required for IKEv2 negotiation.
By default, an IPsec policy
references no IKEv2 profile.
8. Configure an IP address for
the local security gateway.
local-address { ipv4-address |
ipv6 ipv6-address }
Optional.
By default, the IP address of the
interface to which the IPsec
policy is applied is used as the
local gateway IP address.
This command is available only
for IKEv2.
9. Configure an IP address for
the remote security
gateway.
remote-address { [ ipv6 ]
host-name [ dynamic ] |
ipv4-address | ipv6
ipv6-address }
By default, no IP address is
configured for the remote
security gateway.
The remote gateway IP address
configuration is required on an
IKEv2 negotiation initiator and
optional on a responder.
This command is available only
for IKEv2.