Configuring A Manual Ipsec Policy - HP MSR Series Configuration Manual
Hpe flexnetwork msr router series
Hide thumbs
Also See for MSR Series:
- Configuration manual (889 pages) ,
- Command reference manual (684 pages) ,
- Wan access configuration manual (293 pages)
Table of Contents
Advertisement
Step
5.
Specify the mode in
which the security
protocol encapsulates
IP packets.
6.
(Optional.) Enable the
Perfect Forward
Secrecy (PFS) feature
for the IPsec policy.
7.
(Optional.) Enable the
Extended Sequence
Number (ESN) feature.
Configuring a manual IPsec policy
In a manual IPsec policy, the parameters are configured manually, such as the keys, the SPIs, and
the IP addresses of the two ends in tunnel mode.
Configuration restrictions and guidelines
When you configure a manual IPsec policy, make sure the IPsec configuration at both ends of the
IPsec tunnel meets the following requirements:
•
The IPsec policies at the two ends must have IPsec transform sets that use the same security
protocols, security algorithms, and encapsulation mode.
•
The remote IPv4 address configured on the local end must be the same as the primary IPv4
address of the interface applied with the IPsec policy at the remote end. The remote IPv6
address configured on the local end must be the same as the first IPv6 address of the interface
applied with the IPsec policy at the remote end.
•
At each end, configure parameters for both the inbound SA and the outbound SA, and make
sure the SAs in each direction are unique: For an outbound SA, make sure its triplet (remote IP
address, security protocol, and SPI) is unique. For an inbound SA, make sure its SPI is unique.
•
The local inbound SA must use the same SPI and keys as the remote outbound SA. The same
is true of the local outbound SA and remote inbound SA.
•
The keys for the local and remote inbound and outbound SAs must be in the same format. For
example, if the local inbound SA uses a key in characters, the local outbound SA and remote
inbound and outbound SAs must use keys in characters.
Command
encapsulation-mode { transport |
tunnel }
•
In non-FIPS mode:
pfs { dh-group1 | dh-group2 |
dh-group5 | dh-group14 |
dh-group24 | dh-group19 |
dh-group20 }
•
In FIPS mode:
pfs { dh-group14 | dh-group19 |
dh-group20 }
esn enable [ both ]
297
Remarks
By default, the security protocol
encapsulates IP packets in tunnel
mode.
The transport mode applies only
when the source and destination
IP addresses of data flows match
those of the IPsec tunnel.
IPsec for IPv6 routing protocols
supports only the transport mode.
IPsec for ADVPN tunnels
supports only the tunnel mode.
By default, the PFS feature is not
used for SA negotiation.
For more information about PFS,
see
"Configuring
IKE."
The security level of the
Diffie-Hellman (DH) group of the
initiator must be higher than or
equal to that of the responder.
The end without the PFS feature
performs SA negotiation
according to the PFS
requirements of the peer end.
The DH groups 19 and 20 are
available only for IKEv2.
By default, the ESN feature is
disabled.
- Quick Links:
- Configuring Local Users
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
