R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis

261

262

263

264

265

266

267

268

269

270

255

Ste

Command

Remarks

6. (Optional.) Enable the

Perfect Forward Secrecy

(PFS) feature for the IPsec

policy.

• In non-FIPS mode:

pfs { dh-group1 | dh-group2 |

dh-group5 | dh-group14 |

dh-group24 }

• In FIPS mode:

pfs dh-group14

By default, the PFS feature is not

used for SA negotiation.

For more information about PFS,

see "Configuring IKE."

The security level of the

Diffie-Hellman (

DH) group of the

initiator must be higher than or

equal to that of the responder.

The end without the PFS feature

performs SA negotiation according

to the PFS requirements of the peer

end.

Configuring a manual IPsec policy

In a manual IPsec policy, the parameters are configured manually, such as the keys, the SPIs, and the IP

addresses of the two ends in tunnel mode.

Configuration restrictions and guidelines

When you configure a manual IPsec policy, make sure the IPsec configuration at both ends of the IPsec

tunnel meets the following requirements:

• The IPsec policies at the two ends must have IPsec transform sets that use the same security protocols,

security algorithms, and encapsulation mode.

• The remote IPv4 address configured on the local end must be the same as the primary IPv4 address

of the interface applied with the IPsec policy at the remote end. The remote IPv6 address configured

on the local end must be the same as the first IPv6 address of the interface applied with the IPsec

policy at the remote end.

• At each end, configure parameters for both the inbound SA and the outbound SA, and make sure

the SAs in each direction are unique: For an outbound SA, make sure its triplet (remote IP address,

security protocol, and SPI) is unique. For an inbound SA, make sure its SPI is unique.

• The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true

of the local outbound SA and remote inbound SA.

• The keys for the local and remote inbound and outbound SAs must be in the same format. For

example, if the local inbound SA uses a key in characters, the local outbound SA and remote

inbound and outbound SAs must use keys in characters.

Configuration procedure

To configure a manual IPsec policy:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Create a manual IPsec

policy entry and enter its

view.

ipsec { ipv6-policy | policy }

policy-name seq-number manual

By default, no IPsec policy exists.

3. (Optional.) Configure a

description for the IPsec

policy.

description text By default, no description is configured.