HP VSR1000 Security Configuration Manual page 219

Figure 59 Network diagram
Enterprise Center
Configuration procedure
1. Assign IPv4 addresses to the interfaces on the routers according to
2. Configure Router A:
# Create an IPsec transform set named tran1, and specify ESP as the security protocol, DES as the
encryption algorithm, and HMAC-SHA-1-96 as the authentication algorithm.
<RouterA> system-view
[RouterA] ipsec transform-set tran1
[RouterA-ipsec-transform-set-tran1] encapsulation-mode tunnel
[RouterA-ipsec-transform-set-tran1] protocol esp
[RouterA-ipsec-transform-set-tran1] esp encryption-algorithm des
[RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1
[RouterA-ipsec-transform-set-tran1] quit
# Create an IPsec policy template named temp1, referencing the transform set tran1.
[RouterA] ipsec policy-template temp1 1
[RouterA-ipsec-policy-template-temp1-1] transform-set tran1
# Enable IPsec RRI, set the preference to 100 and the tag to 1000 for the static routes created by
IPsec RRI.
[RouterA-ipsec-policy-template-temp1-1] reverse-route dynamic
[RouterA-ipsec-policy-template-temp1-1] reverse-route preference 100
[RouterA-ipsec-policy-template-temp1-1] reverse-route tag 1000
[RouterA-ipsec-policy-template-temp1-1] quit
# Create an IKE-based IPsec policy named map1 based on IPsec policy template temp1.
[RouterA] ipsec policy map1 10 isakmp template temp1
# Create an IKE proposal named 1, and specify 3DES as the encryption algorithm, HMAC-SHA1
as the authentication algorithm, and pre-share as the authentication method.
[RouterA] ike proposal 1
[RouterA-ike-proposal-1] encryption-algorithm 3des-cbc
[RouterA-ike-proposal-1] authentication-algorithm sha
[RouterA-ike-proposal-1] authentication-method pre-share
[RouterA-ike-proposal-1] quit
GE1/0
GE2/0
1.1.1.1/24
4.4.4.1/24
Router A
Host A
GE1/0
2.2.2.2/24
Internet
209
Branch
GE2/0
5.5.5.1/24
RouterB
Host B
Branch
Router C
Branch
Router D
Figure 59. (Details not shown.)