R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis

281

282

283

284

285

286

287

288

289

290

274

# Create an IPsec transform set named tran1.

[RouterB] ipsec transform-set tran1

# Specify the encapsulation mode as tunnel.

[RouterB-ipsec-transform-set-tran1] encapsulation-mode tunnel

# Specify the security protocol as ESP.

[RouterB-ipsec-transform-set-tran1] protocol esp

# Specify the ESP encryption and authentication algorithms.

[RouterB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128

[RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1

[RouterB-ipsec-transform-set-tran1] quit

# Create and configure the IKE keychain named keychain1.

[RouterB] ike keychain keychain1

[RouterB-ike-keychain-keychain1] pre-shared-key address 2.2.2.1 255.255.255.0 key

simple 123456TESTplat&!

[RouterB-ike-keychain-keychain1] quit

# Create and configure the IKE profile named profile1.

[RouterB] ike profile profile1

[RouterB-ike-profile-profile1] keychain keychain1

[RouterB-ike-profile-profile1] match remote identity address 2.2.2.1 255.255.255.0

[RouterB-ike-profile-profile1] quit

# Create an IKE-based IPsec policy entry with the name use1 and the sequence number 10.

[RouterB] ipsec policy use1 10 isakmp

# Apply ACL 3101.

[RouterB-ipsec-policy-isakmp-use1-10] security acl 3101

# Apply the IPsec transform set tran1.

[RouterB-ipsec-policy-isakmp-use1-10] transform-set tran1

# Specify the local and remote IP addresses of the IPsec tunnel as 2.2.3.1 and 2.2.2.1.

[RouterB-ipsec-policy-isakmp-use1-10] local-address 2.2.3.1

[RouterB-ipsec-policy-isakmp-use1-10] remote-address 2.2.2.1

# Apply the IKE profile profile1.

[RouterB-ipsec-policy-isakmp-use1-10] ike-profile profile1

[RouterB-ipsec-policy-isakmp-use1-10] quit

# Apply the IPsec policy use1 to interface GigabitEthernet 2/1/2.

[RouterB] interface gigabitethernet 2/1/2

[RouterB-GigabitEthernet2/1/2] ip address 2.2.3.1 255.255.255.0

[RouterB-GigabitEthernet2/1/2] ipsec apply policy use1

[RouterB-GigabitEthernet2/1/2] quit

Verifying the configuration

# Initiate a connection from subnet 10.1.1.0/24 to subnet 10.1.2.0/24 to trigger IKE negotiation. After

IPsec SAs are successfully negotiated by IKE, the traffic between the two subnets is IPsec protected.

# Use the display ipsec sa command to display IPsec SAs on Router A and Router B. This example uses

Router A to verify the configuration.

[RouterA] display ipsec sa

-------------------------------

Interface: GigabitEthernet2/1/2