R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis

291

292

293

294

295

296

297

298

299

300

284

# Create an IKE keychain named key1 and specify the plaintext 123 as the pre-shared key to be

used with the remote peer at 2.2.2.2.

[RouterA] ike keychain key1

[RouterA-ike-keychain-key1] pre-shared-key address 2.2.2.2 key simple 123

[RouterA-ike-keychain-key1] quit

# Apply the IPsec policy map1 to interface GigabitEthernet 2/1/1.

[RouterA] interface gigabitethernet 2/1/1

[RouterA-GigabitEthernet2/1/1] ipsec apply policy map1

[RouterA-GigabitEthernet2/1/1] quit

3. Configure Router B:

# Create an IPsec transform set named tran1, and specify ESP as the security protocol, DES as the

encryption algorithm, and HMAC-SHA-1-96 as the authentication algorithm.

[RouterB] ipsec transform-set tran1

[RouterB-ipsec-transform-set-tran1] encapsulation-mode tunnel

[RouterB-ipsec-transform-set-tran1] protocol esp

[RouterB-ipsec-transform-set-tran1] esp encryption-algorithm des

[RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1

[RouterB-ipsec-transform-set-tran1] quit

# Configure ACL 3000 to identify traffic from subnet 5.5.5.0/24 to subnet 4.4.4.0/24.

[RouterB] acl number 3000

[RouterB-acl-adv-3000] rule permit ip source 5.5.5.0 0.0.0.255 destination 4.4.4.0

0.0.0.255

[RouterB-acl-adv-3000] quit

# Create an IKE-based IPsec policy entry with the name map1 and the sequence number 10.

Reference the transform set tran1 and ACL 3000, and specify the remote IP address for the tunnel

as 1.1.1.1.

[RouterB] ipsec policy map1 10 isakmp

[RouterB-ipsec-policy-isakmp-map1-10] transform-set tran1

[RouterB-ipsec-policy-isakmp-map1-10] security acl 3000

[RouterB-ipsec-policy-isakmp-map1-10] remote-address 1.1.1.1

[RouterB-ipsec-policy-isakmp-map1-10] quit

# Create an IKE proposal named 1, and specify 3DES as the encryption algorithm, HMAC-SHA1

as the authentication algorithm, and pre-share as the authentication method.

[RouterB] ike proposal 1

[RouterB-ike-proposal-1] encryption-algorithm 3des-cbc

[RouterB-ike-proposal-1] authentication-algorithm sha

[RouterB-ike-proposal-1] authentication-method pre-share

[RouterB-ike-proposal-1] quit

# Create an IKE keychain named key1 and specify the plaintext 123 as the pre-shared key to be

used with the remote peer at 1.1.1.1.

[RouterB] ike keychain key1

[RouterB-ike-keychain-key1] pre-shared-key address 1.1.1.1 key simple 123

[RouterB-ike-keychain-key1] quit

# Apply the IPsec policy map1 to interface GigabitEthernet 2/1/1.

[RouterB] interface gigabitethernet 2/1/1

[RouterB-GigabitEthernet2/1/1] ipsec apply policy map1

[RouterB-GigabitEthernet2/1/1] quit