R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

251

252

253

254

255

256

257

258

259

260

241

[RouterB-pki-domain-domain_b] quit

# Import the CA certificate for certificate signing in offline mode.

[RouterB] pki import-certificate ca domain domain_b der filename bbb_ca.crt

Is the finger print correct?(Y/N):y

# Import the local certificate in offline mode.

[RouterB] pki import-certificate local domain domain_b p12 filename hw002.pfx

2. Configure ACL 3101 to identify traffic from subnet 10.1.2.0/24 to subnet 10.1.1.0/24.

[RouterB] acl number 3101

[RouterB-acl-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0

0.0.0.255

[RouterB-acl-adv-3101] quit

3. Configure an IPsec transform set:

# Create IPsec transform set transform_a.

[RouterB] ipsec transform-set transform_b

# Configure the IPsec transform set to use the security protocol ESP, encryption algorithm DES, and

authentication algorithm SHA1.

[RouterB-ipsec-transform-set-transform_b] transform esp

[RouterB-ipsec-transform-set-transform_b] esp encryption-algorithm des

[RouterB-ipsec-transform-set-transform_b] esp authentication-algorithm sha1

[RouterB-ipsec-transform-set-transform_b] quit

4. Configure an IKEv2 proposal:

# Create IKEv2 proposal proposal_b.

[RouterB] ikev2 proposal proposal_b

# Configure the IKEv2 proposal to use the encryption algorithm AES-CBC-192, integrity protection

algorithm MD5, PRF algorithm MD5, and 1024-bit DH group.

[RouterB-proposal-proposal_b] encryption aes-cbc-192

[RouterB-proposal-proposal_b] integrity md5

[RouterB-proposal-proposal_b] prf md5

[RouterB-proposal-proposal_b] group 2

[RouterB-proposal-proposal_b] quit

5. Configure an IKEv2 policy:

# Create IKEv2 policy policy_b.

[RouterB] ikev2 policy policy_b

# Configure the IKEv2 policy to use IKEv2 proposal proposal_b.

[RouterB-policy-policy_b] proposal proposal_b

[RouterB-policy-policy_b] quit

6. Configure an IKEv2 profile:

# Create IKEv2 profile profile_b.

[RouterB] ikev2 profile profile_b

# Set both the local and remote authentication methods to RSA digital certificate.

[RouterB-profile-profile_b] authentication local rsa-sig

[RouterB-profile-profile_b] authentication remote rsa-sig

# Use the DN as the local identity information.

[RouterB-profile-profile_b] identity local dn

# Use local interface Ethernet 1/1 for IKEv2 policy matching.