R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis

311

312

313

314

315

316

317

318

319

320

301

# Specify the encryption and authentication algorithms.

[DeviceB-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128

[DeviceB-ipsec-transform-set-tran1] esp authentication-algorithm sha1

[DeviceB-ipsec-transform-set-tran1] quit

# Create and IKE keychain named keychain1.

[DeviceB]ike keychain keychain1

# Specify plaintext 123456TESTplat&! as the pre-shared key to be used with the remote peer at

1.1.1.1.

[DeviceB-ike-keychain-keychain1] pre-shared-key address 1.1.1.1 255.255.255.0 key

simple 123456TESTplat&!

[DeviceB-ike-keychain-keychain1] quit

# Create an IKE profile named profile1.

[DeviceB] ike profile profile1

# Specify IKE keychain keychain1

[DeviceB-ike-profile-profile1] keychain keychain1

# Configure the local ID with the identity type as IP address and the value as 2.2.2.2.

[DeviceB-ike-profile-profile1] local-identity address 2.2.2.2

# Configure a peer ID with the identity type as IP address and the value as 1.1.1.1/24.

[DeviceB-ike-profile-profile1] match remote identity address 1.1.1.1 255.255.255.0

[DeviceB-ike-profile-profile1] quit

# Create an IKE-based IPsec policy entry with the name use1 and the sequence number 10.

[DeviceB] ipsec policy use1 10 isakmp

# Specify the remote IP address 1.1.1.1 for the IPsec tunnel.

[DeviceB-ipsec-policy-isakmp-use1-10] remote-address 1.1.1.1

# Reference ACL 3101 to identify the traffic to be protected.

[DeviceB-ipsec-policy-isakmp-use1-10] security acl 3101

# Reference IPsec transform set tran1 for the IPsec policy.

[DeviceB-ipsec-policy-isakmp-use1-10] transform-set tran1

# Specify IKE profile profile1 for the IPsec policy.

[DeviceB-ipsec-policy-isakmp-use1-10] ike-profile profile1

[DeviceB-ipsec-policy-isakmp-use1-10] quit

# Apply IPsec policy use1 to interface GigabitEthernet 2/1/1.

[DeviceB-GigabitEthernet2/1/1] ipsec apply policy use1

# Configure a static route to the subnet where Host A resides.

[DeviceB] ip route-static 10.1.1.0 255.255.255.0 1.1.1.1

Verifying the configuration

# Initiate a connection from subnet 10.1.1.0/24 to subnet 10.1.2.0/24 to trigger IKE negotiation. After

IPsec SAs are successfully negotiated by IKE, traffic between the two subnets is IPsec protected.

# Display the IKE proposal configuration on Device A and Device B. Because no IKE proposal is

configured, the command displays the default IKE proposal.

[DeviceA] display ike proposal

Priority Authentication Authentication Encryption Diffie-Hellman Duration

method algorithm algorithm group (seconds)

----------------------------------------------------------------------------

default PRE-SHARED-KEY SHA1 AES-CBC-128 Group 1 86400