R2511-HP MSR Router Series Security Configuration Guide(V5)
189
After the configuration, IKE negotiation will be triggered to set up SAs when there is traffic between
subnet 10.1.1.0/24 and subnet 10.1.2.0/24. If IKE negotiation is successful and SAs are set up,
the traffic between the two subnets will be IPsec protected through the encryption card.
Configuring IPsec interface backup
Network requirements
As shown in Figure 58, configure two IPsec tunnels operating in backup mode between Router A and
Router B to protect data flows between subnet 10.1.1.0/24 and subnet 10.1.2.0/24.
Configure the two tunnels to use the security protocol ESP, the encryption algorithm DES, and the
authentication algorithm SHA1-HMAC-96. Use IKE for IPsec SA negotiation. Configure a shared source
interface policy group to achieve smooth traffic switchover between the two interfaces.
Figure 58 Network diagram
Configuration procedure
1. Configure Router A:
# Define an ACL to identify traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24.
<RouterA> system-view
[RouterA] acl number 3101
[RouterA-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0
0.0.0.255
[RouterA-acl-adv-3101] quit
# Configure an IPsec transform set named tran1.
[RouterA] ipsec transform-set tran1
[RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel
[RouterA-ipsec-transform-set-tran1] transform esp
[RouterA-ipsec-transform-set-tran1] esp encryption-algorithm des
[RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterA-ipsec-transform-set-tran1] quit
# Configure an IKE peer named peer.
[RouterA] ike peer peer
[RouterA-ike-peer-peer] pre-shared-key abcde
[RouterA-ike-peer-peer] remote-address 3.3.3.3
[RouterA-ike-peer-peer] quit
# Configure an IPsec policy named map1, specifying to use the IKE negotiation mode.
[RouterA] ipsec policy map1 10 isakmp