R0106-HP MSR Router Series Security Configuration Guide(V7)
266
Ste
p
Command
Remarks
2. Enter IPsec policy view or IPsec
policy template view.
• To enter IPsec policy view:
ipsec { policy | ipv6-policy }
policy-name seq-number isakmp
• To enter IPsec policy template
view:
ipsec { policy-template |
ipv6-policy-template }
template-name seq-number
N/A
3. Enable IPsec RRI.
reverse-route dynamic
By default, IPsec RRI is disabled.
IPsec RRI is supported in both
tunneling mode and transport
mode.
4. Optional.) Set the preference
value for the static routes
created by IPsec RRI.
reverse-route preference number The default value is 60.
5. (Optional.) Set the tag value
for the static routes created by
IPsec RRI.
reverse-route tag tag-value The default value is 0.
Configuring IPsec for IPv6 routing protocols
Configuration task list
Complete the following tasks to configure IPsec for IPv6 routing protocols:
Tasks at a
g
lance
(Required.) Configuring an IPsec transform set
(Required.) Configuring a manual IPsec profile
(Required.) Applying the IPsec profile to an IPv6 routing protocol (see Layer 3—IP Routing Configuration Guide)
(Optional.) Enabling logging of IPsec packets
(Optional.) Configuring SNMP notifications for IPsec
Configuring a manual IPsec profile
An IPsec profile is similar to an IPsec policy. The difference is that an IPsec profile is uniquely identified
by a name and it does not support ACL configuration. An IPsec profile defines the IPsec transform set
used for protecting data flows, and specifies SPIs and the keys used by the SAs.
When you configure a manual IPsec profile, make sure the IPsec profile configuration at both tunnel ends
meets the following requirements:
• The IPsec transform set referenced by the IPsec profile at the two tunnel ends must have the same
security protocol, encryption and authentication algorithms, and packet encapsulation mode.
• The local inbound and outbound IPsec SAs must have the same SPI and key.
• The IPsec SAs on the devices in the same scope must have the same key. The scope is defined by
protocols. For OSPF, the scope consists of OSPF neighbors or an OSPF area. For RIPng, the scope