R2511-HP MSR Router Series Security Configuration Guide(V5)
477
Group domain VPN configuration example
Network requirements
As shown in Figure 153, set up a group domain VPN on the network to protect traffic between subnets,
as follows:
• Add GM 1, GM 2, and GM 3 to GDOI group 12345, and configure them to register with the KS
that manages the group.
• Use the IPsec security protocol ESP, encryption algorithm AES-CBC 128, and authentication
algorithm SHA1 to protect the data.
• Configure IPsec to protect traffic from subnet 10.1.1.0 to subnet 10.1.2.0, and traffic from subnet
10 .1.1. 0 t o s u b n e t 10 .1. 3 . 0 .
• Use pre-shared key authentication for IKE negotiation between the KS and the GMs.
• Configure the KS to multicast rekey messages to the GMs.
• Configure KS 1 and KS 2 to back up each other. KS 1 and KS 2 use pre-shared key authentication
for IKE negotiation.
Figure 153 Network diagram
Configuration procedure
Make sure each GM (GM 1, GM 2, and GM 3) and each KS can reach each other, and the two KSs can
reach each other.
Make sure the multicast packets between the GMs and the multicast rekey messages between the KS and
GMs can be forwarded correctly.
By default, the KS multicasts rekey messages. To unicast rekey messages, use the rekey transport unicast
command.