R2511-HP MSR Router Series Security Configuration Guide(V5)
186
[RouterB-ipsec-policy-isakmp-use1-10] security acl 3101
# Apply the IPsec transform set.
[RouterB-ipsec-policy-isakmp-use1-10] transform-set tran1
# Apply the IKE peer.
[RouterB-ipsec-policy-isakmp-use1-10] ike-peer peer
[RouterB-ipsec-policy-isakmp-use1-10] quit
# Configure the IP address of the serial interface.
[RouterB] interface serial 2/2
[RouterB-Serial2/2] ip address 2.2.3.1 255.255.255.0
# Apply the IPsec policy group to the interface.
[RouterB-Serial2/2] ipsec policy use1
3. Verify the configuration:
After the configuration, IKE negotiation will be triggered to set up SAs when there is traffic between
subnet 10.1.1.0/24 and subnet 10.1.2.0/24. If IKE negotiation is successful and SAs are set up,
the traffic between the two subnets will be IPsec protected.
Configuring encryption cards for IPsec services
Network requirements
As shown in Figure 57, configure an IPsec tunnel implemented on encryption cards between Router A and
Router B to protect data flows between subnet 10.1.1.0/24 and subnet 10.1.2.0/24. Configure the tunnel
to use the security protocol ESP, the encryption algorithm DES, and the authentication algorithm
SHA1-HMAC-96. Use IKE for IPsec SA negotiation.
Figure 57 Network diagram
Configuration procedure
1. Configure Router A:
#Define an ACL to identify data flows from subnet 10.1.1.0/24 to subnet 10.1.2.0/24.
<RouterA> system-view
[RouterA] acl number 3101
[RouterA-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0
0.0.0.255
[RouterA-acl-adv-3101] quit
# Configure a static route to Host B.
[RouterA] ip route-static 10.1.2.0 255.255.255.0 serial 2/1
Internet
S2/1
2.2.2.1/24
S2/2
2.2.3.1/24
Eth1/1
10.1.1.1/24
Eth1/1
10.1.2.1/24
Router A Router B
Host A
10.1.1.2/24
Host B
10.1.2.2/24