Manualshelf

R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router
241242243244245246247248249250
235
[RouterB-keyring-keyring_b] quit
6. Configure an IKEv2 profile:
# Create IKEv2 profile profile_b.
[RouterB] ikev2 profile profile_b
# Set both the local and remote authentication methods to pre-shared key.
[RouterB-profile-profile_b] authentication local pre-share
[RouterB-profile-profile_b] authentication remote pre-share
# Use the FQDN router_b as the local identity information.
[RouterB-profile-profile_b] identity local fqdn router_b
# Use the keyring keyring_b.
[RouterB-profile-profile_b] keyring keyring_b
# Use remote FQDN router_a for IKEv2 profile matching.
[RouterB-profile-profile_b] match identity remote fqdn router_a
[RouterB-profile-profile_b] quit
7. Configure an IPsec policy that uses IKEv2.
[RouterB] ipsec policy map 1 isakmp
[RouterB-ipsec-policy-isakmp-map1-1] encapsulation-mode tunnel
[RouterB-ipsec-policy-isakmp-map1-1] security acl 3101
[RouterB-ipsec-policy-isakmp-map1-1] ikev2 profile profile_b
[RouterB-ipsec-policy-isakmp-map1-1] remote-address 1.1.1.1
[RouterB-ipsec-policy-isakmp-map1-1] local-address 2.2.2.2
[RouterB-ipsec-policy-isakmp-map1-1] transform-set transform_b
[RouterB-ipsec-policy-isakmp-map1-1] quit
8. Assign an IP address to interface Ethernet 1/2.
[RouterB] interface ethernet 1/2
[RouterB-Ethernet1/2] ip address 10.1.2.1 255.255.255.0
[RouterB-Ethernet1/2] quit
9. Assign an IP address to interface Ethernet 1/1.
[RouterB] interface ethernet 1/1
[RouterB-Ethernet1/1] ip address 2.2.2.2 255.255.0.0
10. Apply the IPsec policy group on interface Ethernet 1/1.
[RouterB-Ethernet1/1] ipsec policy map
[RouterB-Ethernet1/1] quit
11. Configure a static route to subnet 10.1.1.0/24.
[RouterB] ip route-static 10.1.1.0 255.255.255.0 1.1.1.1
Verifying the configuration
When traffic between subnet 10.1.1.0/24 and subnet 10.1.2.0/24 goes through Router A and Router B,
IKEv2 negotiation should be triggered. You can check whether the configurations on the routers are as
expected and whether the expected IKEv2 SAs and IPsec SAs have been established.
Take Router A as an example:
# Display the IKEv2 proposal configuration information.
[RouterA] display ikev2 proposal
IKEv2 proposal : proposal_a
Encryption : AES-CBC-192
Integrity : MD5