To Next Page

To Previous Page

161

Step Command Remarks

3. Assign an ACL to the

IPsec policy.

security

acl

acl-number

Not needed for IPsec policies to be

applied to IPv6 routing protocols and

required for other applications.

By default, an IPsec policy references

no ACL.

The ACL supports match criteria of the

VPN attribute.

An IPsec policy can reference only one

ACL. If you apply multiple ACLs to an

IPsec policy, only the most recent one

takes effect.

4. Assign an IPsec

transform set to the

IPsec policy.

transform-set

transform-set-name

By default, an IPsec policy references

no IPsec transform set.

A manual IPsec policy can reference

only one IPsec transform set. To

change an IPsec transform set for an

IPsec policy, you must remove the

reference first.

5. Configure the local

address of the IPsec

tunnel

local

ip-address

Not needed for IPsec policies to be

applied to IPv6 routing protocols and

required for other applications.

Not configured by default.

6. Configure the remote

address of the IPsec

tunnel

remote

ip-address Not configured by default.

7. Configure an SPI for an

SA.

spi

{

inbound

outbound

}

{

esp

} spi-number

N/A

8. Configure keys for the

SA.

• Configure an authentication

key in hexadecimal for AH:

sa authentication-hex

{ inbound | outbound } ah

[ cipher | simple ] hex-key

• Configure an authentication

key in characters for AH:

sa string-key { inbound |

outbound } ah [ cipher |

simple ] string-key

• Configure a key in

characters for ESP:

sa string-key { inbound |

outbound } esp [ cipher |

simple ] string-key

• Configure an authentication

key in hexadecimal for ESP:

sa authentication-hex

{ inbound | outbound } esp

[ cipher | simple ] hex-key

• Configure an encryption key

in hexadecimal for ESP:

sa encryption-hex

{ inbound | outbound } esp

[ cipher | simple ] hex-key

Configure keys correctly for the security

protocol (AH or ESP) you have

specified.

If y

ou configure a key in two modes:

string and hexadecimal, only the most

recent configuration takes effect.

If you configure a key in characters for

ESP, the router automatically generates

an authentication key and an encryption

key for ESP.

The

string-key

command is not

available for FIPS mode.

Configuring an IPsec policy that uses IKE

To configure an IPsec policy that uses IKE, use one of the following methods:

Brand	HPE
Model	FlexNetwork MSR Series
Category	Network Router
Language	English

HPE FlexNetwork MSR Series Comware 5 Security Configuration Guide

Table of Contents

Other manuals for HPE FlexNetwork MSR Series

Questions and Answers:

HPE FlexNetwork MSR Series Specifications

Related product manuals