R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

181

182

183

184

185

186

187

188

189

190

176

1. Configure an IPsec transform set to specify the security protocols, authentication and encryption

algorithms, and encapsulation mode.

2. Configure an IPsec profile to associate data flows with the IPsec transform set, and to specify the

IKE peer parameters and the SA lifetime.

3. Configure an IPsec tunnel interface and apply the IPsec profile to the interface. To enhance the

encryption and decryption speed of the IPsec tunnel, bind the IPsec profile to one or more

encryption cards.

NOTE:

Because packets routed to the IPsec tunnel interface are all protected, the data protection scope, which is

required for IPsec policy configuration, is not needed in the IPsec profile.

Complete the following tasks to configure tunnel interface-based IPsec:

Task Remarks

Configuring an IPsec transform set

Required.

An IPsec transform set for the IPsec

tunnel interface to reference

supports tunnel mode only.

Configuring an IPsec profile Required.

Configuring an IPsec tunnel interface Required.

Enabling packet information pre-extraction on the IPsec tunnel interface Optional.

Applying a QoS policy to an IPsec tunnel interface Optional.

Binding an IPsec policy, IPsec policy group, or IPsec profile to an

encryption card

Optional.

Enabling the encryption engine Optional.

Enabling the IPsec module backup function Optional.

Configuring the IPsec session idle timeout Optional.

Enabling ACL checking of de-encapsulated IPsec packets Optional.

Configuring the IPsec anti-replay function Optional.

Configuring an IPsec profile

An IPsec policy is uniquely identified by its name and sequence number. An IPsec policy group is a

collection of IPsec policies with the same name but different sequence numbers. In an IPsec policy group,

an IPsec policy with a smaller sequence number has a higher priority. After an IPsec policy group is

applied to an interface, for each packet arriving at the interface, the system checks the IPsec policies of

the IPsec policy group in the ascending order of sequence numbers. One IPsec tunnel will be established

for each data flow to be protected, and multiple IPsec tunnels might exist on an interface.

An IPsec profile is similar to an IPsec policy. The difference is that an IPsec profile is uniquely identified

by its name and it does not support ACL configuration. An IPsec profile defines the IPsec transform set to

be used for protecting data flows, and specifies the parameters for IKE negotiation. After an IPsec profile

is applied to an IPsec tunnel interface, only one IPsec tunnel is set up to protect all data flows that are

routed to the tunnel.