R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

221

222

223

224

225

226

227

228

229

230

215

[RouterB-ike-peer-peer] quit

# Create an IPsec policy that uses IKE negotiation.

[RouterB] ipsec policy use1 10 isakmp

# Reference ACL 3101 to identify the protected traffic.

[RouterB-ipsec-policy-isakmp-use1-10] security acl 3101

# Reference IPsec transform set tran1.

[RouterB-ipsec-policy-isakmp-use1-10] transform-set tran1

# Reference IKE peer peer.

[RouterB-ipsec-policy-isakmp-use1-10] ike-peer peer

[RouterB-ipsec-policy-isakmp-use1-10] quit

# Assign an IP address to interface Ethernet 1/2.

[RouterB] interface ethernet 1/2

[RouterB-Ethernet1/2] ip address 10.1.2.1 255.255.255.0

[RouterB-Ethernet1/2] quit

# Assign an IP address to interface Ethernet 1/1.

[RouterB] interface ethernet 1/1

[RouterB-Ethernet1/1] ip address 2.2.2.2 255.255.255.0

# Apply the IPsec policy to interface Ethernet 1/1.

[RouterB-Ethernet1/1] ipsec policy use1

# Configure a static route to subnet 10.1.1.0/24.

[RouterB] ip route-static 10.1.1.0 255.255.255.0 1.1.1.1

4. Verify the configuration:

# Check the IKE proposal configuration.

[RouterA] display ike proposal

priority authentication authentication encryption Diffie-Hellman duration

method algorithm algorithm group (seconds)

---------------------------------------------------------------------------

10 PRE_SHARED MD5 DES_CBC MODP_768 5000

default PRE_SHARED SHA DES_CBC MODP_768 86400

[RouterB] display ike proposal

priority authentication authentication encryption Diffie-Hellman duration

method algorithm algorithm group (seconds)

---------------------------------------------------------------------------

default PRE_SHARED SHA DES_CBC MODP_768 86400

Router A and Router B has only one pair of matching IKE proposals. Matching IKE proposals do

not necessarily use the same ISAKMP SA lifetime setting.

# Send traffic from subnet 10.1.1.0/24 to subnet 10.1.2.0/24. Router A starts IKE negotiation

with Router B when receiving the first packet.

# Display the SAs established in the two IKE negotiation phases.

[RouterA] display ike sa

total phase-1 SAs: 1

connection-id peer flag phase doi

----------------------------------------------------------

1 2.2.2.2 RD|ST 1 IPSEC

2 2.2.2.2 RD|ST 2 IPSEC