R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

201

202

203

204

205

206

207

208

209

210

191

[RouterB-ike-peer-peer] pre-shared-key abcde

[RouterB-ike-peer-peer] remote-address 1.1.1.1

[RouterB-ike-peer-peer] quit

# Configure an IPsec policy named map1, specifying to use the IKE negotiation mode.

[RouterB] ipsec policy map1 10 isakmp

[RouterB-ipsec-policy-isakmp-map1-10] transform-set tran1

[RouterB-ipsec-policy-isakmp-map1-10] security acl 3101

[RouterB-ipsec-policy-isakmp-map1-10] ike-peer peer

[RouterB-ipsec-policy-isakmp-map1-10] quit

# Configure a loopback interface.

[RouterB] interface loopback 0

[RouterB-LoopBack0] ip address 3.3.3.3 32

[RouterB-LoopBack0] quit

# Configure IPsec policy group map1 as a shared source interface policy group.

[RouterB] ipsec policy map1 local-address loopback 0

# Apply the shared source interface policy group to interface Ethernet 1/1.

[RouterB] interface ethernet 1/1

[RouterB-Ethernet1/1] ip address 2.2.2.3 24

[RouterB-Ethernet1/1] ipsec policy map1

[RouterB-Ethernet1/1] quit

# Apply the shared source interface policy group to interface Ethernet 1/2.

[RouterB] interface ethernet 1/2

[RouterB-Ethernet1/2] ip address 4.4.4.5 24

[RouterB-Ethernet1/2] ipsec policy map1

[RouterB-Ethernet1/2] quit

# Configure interface Ethernet 1/3.

[RouterB] interface ethernet 1/3

[RouterB-Ethernet1/3] ip address 10.1.2.1 24

[RouterB-Ethernet1/3] quit

# Configure a static route to Host A.

[RouterB] ip route-static 10.1.1.0 255.255.255.0 ethernet 1/1 2.2.2.2

[RouterB] ip route-static 10.1.1.0 255.255.255.0 ethernet 1/2 4.4.4.4

# Configure a static route to interface Loopback 0 on Host B.

[RouterB] ip route-static 1.1.1.0 255.255.255.0 ethernet 1/1 2.2.2.2

[RouterB] ip route-static 1.1.1.0 255.255.255.0 ethernet 1/2 4.4.4.4

3. Verify the configuration:

After the configuration, IKE negotiation is triggered to set up SAs when there is traffic between

subnet 10.1.1.0/24 and subnet 10.1.2.0/24. Physical interfaces Ethernet 1/1 and Ethernet 1/2

will use the shared source interface to negotiate IPsec SAs dynamically.

# Execute the display ipsec sa command. The output shows that the local address and peer

address of the IPsec tunnel are respectively the IP addresses of the two shared interfaces.

[RouterA] display ipsec sa

===============================

Interface: LoopBack0

path MTU: 1536

===============================