HP MSR2000 Configuration Manual page 155

#
ipsec policy testa 1 isakmp <---IPsec policy entry with a higher priority
security acl 3000
ike-profile aa
transform-set 1
#
ipsec policy testa 2 isakmp <---IPsec policy entry with a lower priority
security acl 3001
ike-profile bb
transform-set 1
IPsec configurations on Router B:
•
acl number 3001
rule 0 permit ip source 3.3.3.0 0.0.0.255 destination 1.1.2.0 0.0.0.255
rule 1 deny ip
#
ipsec policy testb 1 isakmp
security acl 3001
ike-profile aa
transform-set 1
On Router A, apply the IPsec policy testa to the outbound interface of Router A. The IPsec policy contains
two policy entries, testa 1 and testa 2. The ACLs referenced by the two policy entries each contain a rule
that matches traffic from 1.1.2.0/24 to 3.3.3.0/24. The one referenced in policy entry testa 1 is a deny
statement and the one referenced in policy entry testa 2 is a permit statement. Because testa 1 is matched
prior to testa 2, traffic from 1.1.2.0/24 to 3.3.3.0/24 will match the deny statement and be sent as
normal traffic. When the traffic arrives at Router B, the traffic matches rule 0 (a permit statement) in ACL
3001 referenced in the applied IPsec policy testb. Because non-IPsec traffic that matches a permit
statement must be dropped on the inbound interface, Router B drops the traffic.
To make sure subnet 1.1.2.0/24 can access subnet 3.3.3.0/24, you can delete the deny rule in ACL
3000 on Router A.
Mirror image ACLs
To make sure SAs can be set up and the traffic protected by IPsec can be processed correctly between
two IPsec peers, create mirror image ACLs on the IPsec peers. As shown in
B are mirror images of the rules on Router A. In this way, SAs can be created successfully for the traffic
between Host A and Host C and for the traffic between Network 1 and Network 2.
144
Figure 42, ACL rules on Router