R0106-HP MSR Router Series Security Configuration Guide(V7)
285
Make sure Router B has a route to the peer private network, with the outgoing interface as
GigabitEthernet 2/1/1.
4. Configure Router C and Router D in the same way Router B is configured.
Verifying the configuration
1. Verify that IPsec RRI can automatically create a static route from Router A to Router B:
# Initiate a connection from subnet 5.5.5.0/24 to subnet 4.4.4.0/24. IKE negotiation is triggered
to establish IPsec SAs between Router A and Router B.
# Verify that IPsec SAs are established on Router A.
[RouterA] display ipsec sa
-------------------------------
Interface: GigabitEthernet2/1/1
-------------------------------
-----------------------------
IPsec policy: map1
Sequence number: 10
Mode: template
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect forward secrecy:
Path MTU: 1463
Tunnel:
local address: 1.1.1.1
remote address: 2.2.2.2
Flow:
sour addr: 4.4.4.0/255.255.255.0 port: 0 protocol: ip
dest addr: 5.5.5.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 1014286405 (0x3c74c845)
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3590
Max received sequence-number: 4
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for nat traversal: N
Status: active
[Outbound ESP SAs]
SPI: 4011716027 (0xef1dedbb)
Transform set: ESP-ENCRYPT-DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3590
Max sent sequence-number: 4
UDP encapsulation used for nat traversal: N