R2511-HP MSR Router Series Security Configuration Guide(V5)
200
in use setting: Transport
connection id: 13
No duration limit for this sa
[outbound ESP SAs]
spi: 0x3039(123456)
transform: ESP-ENCRYPT-DES ESP-AUTH-SHA1
in use setting: Transport
connection id: 14
No duration limit for this sa
Similarly, you can view the information on Router B and Router C. (Details not shown.)
Configuring IPsec RRI
Network requirements
As shown in Figure 61, configure an IPsec tunnel between Router A and Router B to protect the traffic
between the headquarters and the branch. Configure the tunnel to use the security protocol ESP, the
encryption algorithm DES, and the authentication algorithm SHA1-HMAC-96. Use IKE for automatic SA
negotiation.
Configure IPsec RRI on Router A to automatically create a static route to the branch based on the
established IPsec SAs. Specify the next hop of the route as 1.1.1.2.
Figure 61 Network diagram
Configuration procedure
1. Assign IPv4 addresses to the interfaces on the routers according to Figure 61. Make sure Router A
and Router B can reach each other. (Details not shown.)
2. Configure Router A:
# Configure ACL 3101 to identify traffic from subnet 10.4.4.0/24 to subnet 10.5.5.0/24.
<RouterA> system-view
[RouterA] acl number 3101
[RouterA-acl-adv-3101] rule permit ip source 10.4.4.0 0.0.0.255 destination 10.5.5
0 0.0.0.255
[RouterA-acl-adv-3101] quit
# Create IPsec transform set tran1.
[RouterA] ipsec transform-set tran1
Headquarters
Branch
Internet
Router A Router B
Eth1/1
1.1.1.1/16
Eth1/1
2.2.2.2/16
Eth1/2
10.4.4.1/24
Eth1/2
10.5.5.1/24
Host A
10.4.4.4/24
Host B
10.5.5.5/24