R0106-HP MSR Router Series Security Configuration Guide(V7)
282
Checkzero : Enabled
Default Cost : 0
Maximum number of balanced paths : 8
Update time : 30 sec(s) Timeout time : 180 sec(s)
Suppress time : 120 sec(s) Garbage-Collect time : 120 sec(s)
Number of periodic updates sent : 186
Number of trigger updates sent : 1
IPsec profile name: profile001
# Use the display ipsec sa command to display the established IPsec SAs.
[RouterA] display ipsec sa
-------------------------------
Global IPsec SA
-------------------------------
-----------------------------
IPsec profile: profile001
Mode: manual
-----------------------------
Encapsulation mode: transport
[Inbound ESP SA]
SPI: 123456 (0x3039)
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
No duration limit for this SA
[Outbound ESP SA]
SPI: 123456 (0x3039)
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
No duration limit for this SA
Configuring IPsec RRI
Network requirements
As shown in Figure 84, branches access the enterprise center through an IPsec VPN.
Configure the IPsec VPN as follows:
• Configure an IPsec tunnel between Router A and each branch gateway (Router B, Router C, and
Router D) to protect traffic between subnets 4.4.4.0/24 and 5.5.5.0/24.
• Configure the tunnels to use the security protocol ESP, the encryption algorithm DES, and the
authentication algorithm SHA1-HMAC-96. Use IKE for IPsec SA negotiation.
• Configure IKE proposal to use pre-shared key authentication method, the encryption algorithm
3DES, and the authentication algorithm HMAC-SHA1.
• Configure IPsec RRI on Router A to automatically create static routes to the branches based on the
established IPsec SAs.