R0106-HP MSR Router Series Security Configuration Guide(V7)
278
# Create an IKE-based IPsec policy entry with the name use1 and the sequence number 10.
[RouterB] ipsec ipv6-policy use1 10 isakmp
# Apply ACL 3101.
[RouterB-ipsec-ipv6-policy-isakmp-use1-10] security acl 3101
# Apply the IPsec transform set tran1.
[RouterB-ipsec-ipv6-policy-isakmp-use1-10] transform-set tran1
# Specify the local and remote IPv6 addresses of the IPsec tunnel as 222::1 and 111::1.
[RouterB-ipsec-ipv6-policy-isakmp-use1-10] local-address ipv6 222::1
[RouterB-ipsec-ipv6-policy-isakmp-use1-10] remote-address ipv6 111::1
# Apply the IKE profile profile1.
[RouterB-ipsec-ipv6-policy-isakmp-use1-10] ike-profile profile1
[RouterB-ipsec-ipv6-policy-isakmp-use1-10] quit
# Apply the IPsec policy use1 to interface GigabitEthernet 2/1/2.
[RouterB] interface gigabitethernet 2/1/2
[RouterB-GigabitEthernet2/1/2] ipv6 address 222::1/64
[RouterB-GigabitEthernet2/1/2] ipsec apply ipv6-policy use1
[RouterB-GigabitEthernet2/1/2] quit
Verifying the configuration
# Initiate a connection from subnet 333::/64 to subnet 555::/64 to trigger IKE negotiation. After IPsec
SAs are successfully negotiated by IKE, the traffic between the two subnets is IPsec protected.
# Use the display ipsec sa command to display IPsec SAs on Router A and Router B. This example uses
Router A to verify the configuration.
[RouterA] display ipsec sa
-------------------------------
Interface: GigabitEthernet2/1/2
-------------------------------
-----------------------------
IPsec policy: map1
Sequence number: 10
Mode: isakmp
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Path MTU: 1423
Tunnel:
local address: 111::1
remote address: 222::1
Flow:
sour addr: 111::1/0 port: 0 protocol: IPv6
dest addr: 222::1/0 port: 0 protocol: IPv6
[Inbound ESP SAs]
SPI: 3769702703 (0xe0b1192f)
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1