R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis

321

322

323

324

325

326

327

328

329

330

312

[DeviceB-ipsec-transform-set-transform1] esp encryption-algorithm 3des-cbc

[DeviceB-ipsec-transform-set-transform1] esp authentication-algorithm md5

[DeviceB-ipsec-transform-set-transform1] quit

# Create IKE keychain keychain1.

[DeviceB]ike keychain keychain1

# Specify plaintext 12345zxcvb!@#$%ZXCVB as the pre-shared key to be used with the remote

peer at 1.1.1.1.

[DeviceB-ike-keychain-keychain1] pre-shared-key address 1.1.1.1 255.255.255.0 key

simple 12345zxcvb!@#$%ZXCVB

[DeviceB-ike-keychain-keychain1] quit

# Create an IKE profile named profile1.

[DeviceB] ike profile profile1

# Reference IKE keychain keychain1.

[DeviceB-ike-profile-profile1] keychain keychain1

# Specify that IKE negotiation operates in aggressive mode.

[DeviceB-ike-profile-profile1] exchange-mode aggressive

# Configure a peer ID with the identity type of FQDN name and the value of www.devicea.com.

[DeviceB-ike-profile-profile1] match remote identity fqdn www.devicea.com

[DeviceB-ike-profile-profile1] quit

# Create an IPsec policy template with the name template1 and the sequence number 1.

[DeviceB] ipsec policy-template template1 1

# Reference IPsec transform set transform1 for the IPsec policy template.

[DeviceB-ipsec-policy-template-template1-1] transform-set transform1

# Specify 2.2.2.2 as the local address of the IPsec tunnel.

[DeviceB-ipsec-policy-template-template1-1] local-address 2.2.2.2

# Specify IKE profile profile1 for the IPsec policy.

[DeviceB-ipsec-policy-template-template1-1] ike-profile profile1

[DeviceB-ipsec-policy-template-template1-1] quit

# Create an IKE-based IPsec policy entry with the name policy1 and the sequence number 1 by

referencing the IPsec policy template template1.

[DeviceB] ipsec policy policy1 1 isakmp template template1

# Apply IPsec policy policy1 to interface GigabitEthernet 2/1/1.

[DeviceB-GigabitEthernet2/1/1] ipsec apply policy policy1

[DeviceB-GigabitEthernet2/1/1] quit

Verifying the configuration

# Initiate a connection from subnet 10.1.1.0/24 to subnet 10.1.2.0/24 to trigger IKE negotiation. After

IPsec SAs are successfully negotiated by IKE, traffic between the two subnets is IPsec protected.

# Display the IKE SA on Device A.

[DeviceA] display ike sa

Connection-ID Remote Flag DOI

------------------------------------------------------------------

13 2.2.2.2 RD IPSEC

Flags:

RD--READY RL--REPLACED FD-FADING

[DeviceA] display ike sa verbose