R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

191

192

193

194

195

196

197

198

199

200

177

IPsec profiles can be applied to only DVPN interfaces and IPsec tunnel interfaces. The IPsec tunnel

established using an IPsec profile protects all IP data routed to the tunnel interface.

Before configuring an IPsec profile, complete the following tasks:

• Configure the IPsec transform set for the IPsec profile to reference. For more information, see

"Configuring an IPsec profile."

• C

onfigure the IKE peer for IKEv1 negotiation. For more information, see "Configuring an IKE peer."

• C

onfigure the IKEv2 profile for IKEv2 negotiation. For more information, see "Configuring an IKEv2

ofile."

The parameters for the local and remote ends must match.

During an IKE negotiation based on an IPsec profile, the source and destination addresses of the IPsec

tunnel interface are used as the local and remote addresses. The local-address and remote-address

commands configured for IKE negotiation do not take effect.

If you do not configure the destination address of the IPsec tunnel interface, the local peer can only be

an IKE negotiation responder; it cannot initiate an IKE negotiation.

DVPN is a technology when VPN is established between enterprise branches that use dynamic

addresses to access the public network. For more information about DVPN tunnel interface, see Layer

3—IP Services Configuration Guide.

To configure an IPsec profile:

Ste

Command

Remarks

1. Enter system view.

system-view

N/A

2. Create an IPsec profile and

enter its view.

ipsec profile profile-name By default, no IPsec profile exists.

3. Specify the IPsec transform

sets for the IPsec profile to

reference.

transform-set

transform-name&<1-6>

By default, an IPsec profile

references no IPsec transform sets.

4. Specify the IKE peer for the

IPsec profile to reference.

ike-peer peer-name [ primary ] N/A

5. Specify an IKEv2 profile for

the IPsec policy.

ikev2 profile profile-name

Required for IKEv2 negotiation.

By default, an IPsec profile

references no IKEv2 profile.

6. Specify the IP packet

encapsulation mode.

encapsulation-mode { transport |

tunnel }

Optional.

Tunnel mode by default.

This command is available only for

IKEv2.

Transport mode applies only when

the source and destination IP

addresses of data flows match

those of the IPsec tunnel.

IPsec for IPv6 routing protocols

supports only the transport mode.

7. Enable TFC padding.

tfc enable

Optional.

Disabled by default.